Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1561816
MD5:	9f60bc3ce0041ca8d6665c3d7be1c33f
SHA1:	c785f145cf223a6f247c2336815eea81a702adbe
SHA256:	dcc77a8377b2848695569a7e8a5b9468416da8d07d94c136449843e59e2e492f
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 1812 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 9F60BC3CE0041CA8D6665C3D7BE1C33F)

taskkill.exe (PID: 2268 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5868 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1468 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5720 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5012 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 3160 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4392 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5208 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5896 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2232 -prefMapHandle 2224 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6807ab7b-751a-454b-9212-796b867fa420} 5208 "\\.\pipe\gecko-crash-server-pipe.5208" 14dd6e6eb10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7232 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4104 -parentBuildID 20230927232528 -prefsHandle 2940 -prefMapHandle 4208 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9f1bbef-5c1f-4c5e-a379-f35316c8fad8} 5208 "\\.\pipe\gecko-crash-server-pipe.5208" 14de946a110 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7808 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5132 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5128 -prefMapHandle 5124 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b85e3d19-1243-43ff-b9ce-b6f45ccaee44} 5208 "\\.\pipe\gecko-crash-server-pipe.5208" 14def556b10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 1812	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_008EEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_008EEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008EED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_008EED6A

Source: C:\Users\user\Desktop\file.exe

0_2_008EEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008DAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_008DAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00909576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00909576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.2210160942.0000000000932000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c6d02867-a
Source: file.exe, 00000000.00000000.2210160942.0000000000932000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_06ddfd49-d
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_64eca244-1
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_fb1660c1-c

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000024D59AE39F7 NtQuerySystemInformation,		17_2_0000024D59AE39F7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000024D59AE9F72 NtQuerySystemInformation,		17_2_0000024D59AE9F72

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008DD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_008DD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008D1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_008D1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008DE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_008DE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E2046	0_2_008E2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00878060	0_2_00878060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008D8298	0_2_008D8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008AE4FF	0_2_008AE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A676B	0_2_008A676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00904873	0_2_00904873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089CAA0	0_2_0089CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0087CAF0	0_2_0087CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0088CC39	0_2_0088CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A6DD9	0_2_008A6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008791C0	0_2_008791C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0088B119	0_2_0088B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00891394	0_2_00891394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089781B	0_2_0089781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00877920	0_2_00877920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0088997D	0_2_0088997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00897A4A	0_2_00897A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00897CA7	0_2_00897CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A9EEE	0_2_008A9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008FBE44	0_2_008FBE44
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000024D59AE39F7	17_2_0000024D59AE39F7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000024D59AE9F72	17_2_0000024D59AE9F72
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000024D59AE9FB2	17_2_0000024D59AE9FB2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_0000024D59AEA69C	17_2_0000024D59AEA69C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00879CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00890A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0088F9F2 appears 40 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@67/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008E37B5 GetLastError,FormatMessageW,

0_2_008E37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008D10BF AdjustTokenPrivileges,CloseHandle,		0_2_008D10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008D16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_008D16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008E51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_008E51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008DD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_008DD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008E648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_008E648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008742A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_008742A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4888:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5860:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2016:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7068:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:764:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2448307038.0000014DF1016000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2399236229.0000014DF248D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2442366651.0000014DE6E22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2448307038.0000014DF1016000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.2448307038.0000014DF1016000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.2448307038.0000014DF1016000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.2448307038.0000014DF1016000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.2448307038.0000014DF1016000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.2448307038.0000014DF1016000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.2448307038.0000014DF1016000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.2448307038.0000014DF1016000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2232 -prefMapHandle 2224 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6807ab7b-751a-454b-9212-796b867fa420} 5208 "\\.\pipe\gecko-crash-server-pipe.5208" 14dd6e6eb10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4104 -parentBuildID 20230927232528 -prefsHandle 2940 -prefMapHandle 4208 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9f1bbef-5c1f-4c5e-a379-f35316c8fad8} 5208 "\\.\pipe\gecko-crash-server-pipe.5208" 14de946a110 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5132 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5128 -prefMapHandle 5124 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b85e3d19-1243-43ff-b9ce-b6f45ccaee44} 5208 "\\.\pipe\gecko-crash-server-pipe.5208" 14def556b10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2232 -prefMapHandle 2224 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6807ab7b-751a-454b-9212-796b867fa420} 5208 "\\.\pipe\gecko-crash-server-pipe.5208" 14dd6e6eb10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4104 -parentBuildID 20230927232528 -prefsHandle 2940 -prefMapHandle 4208 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9f1bbef-5c1f-4c5e-a379-f35316c8fad8} 5208 "\\.\pipe\gecko-crash-server-pipe.5208" 14de946a110 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5132 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5128 -prefMapHandle 5124 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b85e3d19-1243-43ff-b9ce-b6f45ccaee44} 5208 "\\.\pipe\gecko-crash-server-pipe.5208" 14def556b10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000E.00000003.2329735204.0000014DF281B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000E.00000003.2364933857.0000014DF2829000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.2362499123.0000014DF282B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.2363487382.0000014DF2825000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000E.00000003.2364933857.0000014DF2829000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.2362499123.0000014DF282B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.2363949786.0000014DE4990000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000E.00000003.2329735204.0000014DF281B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.2363487382.0000014DF2825000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.2363949786.0000014DE4990000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008742DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00890A76 push ecx; ret

0_2_00890A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0088F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0088F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00901C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00901C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96255

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_0000024D59AE39F7 rdtsc

17_2_0000024D59AE39F7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.5 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_008DDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008AC2A2 FindFirstFileExW,	0_2_008AC2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E68EE FindFirstFileW,FindClose,	0_2_008E68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_008E698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008DD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008DD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008E9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008E979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_008E9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_008E5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008742DE

Source: firefox.exe, 00000010.00000002.3480304232.0000016E2D1BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: firefox.exe, 00000012.00000002.3478999462.0000013EFA2DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp2x
Source: firefox.exe, 0000000E.00000003.2337687609.0000014DD8B4B000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2336277561.0000014DD8B4B000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2355333506.0000014DD8B4B000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3485214084.0000016E2D700000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3478995560.0000024D5935A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3484762812.0000024D59B10000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3483831360.0000013EFA780000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3484606904.0000016E2D61E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 0000000E.00000003.2337687609.0000014DD8B4B000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2336277561.0000014DD8B4B000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2355333506.0000014DD8B4B000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3485214084.0000016E2D700000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3484762812.0000024D59B10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 00000011.00000002.3484762812.0000024D59B10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllC
Source: firefox.exe, 00000010.00000002.3485214084.0000016E2D700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_0000024D59AE39F7 rdtsc

17_2_0000024D59AE39F7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008EEAA2 BlockInput,

0_2_008EEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_008A2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008742DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00894CE8 mov eax, dword ptr fs:[00000030h]

0_2_00894CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008D0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_008D0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008A2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0089083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008909D5 SetUnhandledExceptionFilter,	0_2_008909D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00890C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00890C21

Source: C:\Users\user\Desktop\file.exe

0_2_008D1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008B2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_008B2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008DB226 SendInput,keybd_event,

0_2_008DB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008F22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_008F22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_008D0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008D1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_008D1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000E.00000003.2335365642.0000014DF285B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00890698 cpuid

0_2_00890698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008E8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_008E8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008CD27A GetUserNameW,

0_2_008CD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008AB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_008AB952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008742DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 1812, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 1812, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008F1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_008F1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008F1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_008F1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	29%	ReversingLabs	Win32.Trojan.AutoitInject
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://www.tsn.callback	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.193	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.129.91	true	false	high
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.78	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	172.217.21.46	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.129.140	true	false	high
ipv4only.arpa	192.0.0.171	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000012.00000002.3480846199.0000013EFA6C4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.2397668562.0000014DF26E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2400261892.0000014DEFDAB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false		high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.2372851138.0000014DEB02A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2279884434.0000014DEB034000.00000004.00000800.00020000.00000000.sdmp	false		high
https://youtube.com/account?=https://ac.	firefox.exe, 00000012.00000002.3483545099.0000013EFA770000.00000004.00000020.00020000.00000000.sdmp	false		high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000011.00000002.3480472417.0000024D59586000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3480846199.0000013EFA68F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000E.00000003.2311224177.0000014DEF87C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2448528083.0000014DEF873000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2437151556.0000014DEF873000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2400729125.0000014DEF856000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2436550757.0000014DE8F14000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2439050192.0000014DE89D0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.2410411915.0000014DE8F14000.00000004.00000800.00020000.00000000.sdmp	false		high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2263229384.0000014DE6F00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2264288911.0000014DE7131000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2265663202.0000014DE7152000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2263864221.0000014DE710F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2435050047.0000014DE91D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2285872742.0000014DE91D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2439458468.0000014DE898C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.2403024149.0000014DEADF2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000E.00000003.2449802858.0000014DEAF48000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2408866443.0000014DE95EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2376205035.0000014DE87F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2439458468.0000014DE893B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2448528083.0000014DEF882000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2400729125.0000014DEF856000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2263864221.0000014DE710F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.msn.com	firefox.exe, 0000000E.00000003.2404786807.0000014DEA640000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2263229384.0000014DE6F00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2264288911.0000014DE7131000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2263864221.0000014DE710F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
https://youtube.com/	firefox.exe, 0000000E.00000003.2450982234.0000014DEAB8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2403926498.0000014DEA699000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2409232208.0000014DE9494000.00000004.00000800.00020000.00000000.sdmp	false		high
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000E.00000003.2311224177.0000014DEF87C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2448528083.0000014DEF873000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2437151556.0000014DEF873000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2400729125.0000014DEF856000.00000004.00000800.00020000.00000000.sdmp	false		high
https://youtube.com/account?=https://ac	firefox.exe, 00000011.00000002.3483883502.0000024D59630000.00000004.00000020.00020000.00000000.sdmp	false		high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.2425028564.0000014DF0F5F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.instagram.com/	firefox.exe, 0000000E.00000003.2298061926.0000014DE8AD2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false		high
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2311224177.0000014DEF8A0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 0000000E.00000003.2410461820.0000014DE8F04000.00000004.00000800.00020000.00000000.sdmp	false		high
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000E.00000003.2446827935.0000014DF2615000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.youtube.com/	firefox.exe, 0000000E.00000003.2402015326.0000014DEAE31000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3480472417.0000024D59503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3480846199.0000013EFA60C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2321270844.0000014DE8E2A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.2441105615.0000014DE7F9A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2432850637.0000014DF0F5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2425028564.0000014DF0F5F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000012.00000002.3480846199.0000013EFA6C4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://127.0.0.1:	firefox.exe, 0000000E.00000003.2288358678.0000014DE839A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2288358678.0000014DE83A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2291171002.0000014DE8378000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2294327430.0000014DE8753000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2442531061.0000014DEFDDA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.2439458468.0000014DE898C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.tsn.callback	firefox.exe, 0000000E.00000003.2296014087.0000014DE8A3F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2375955512.0000014DE8A18000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2296292546.0000014DE8A1B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false		high
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.2443478342.0000014DE984D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://youtube.com/account?=https://accounts.googl	firefox.exe, 00000010.00000002.3480304232.0000016E2D1BA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000E.00000003.2398417194.0000014DF261E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://spocs.getpocket.com/	firefox.exe, 00000012.00000002.3480846199.0000013EFA613000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
https://youtube.com/account?=https://accounts.googlX	firefox.exe, 00000012.00000002.3478999462.0000013EFA2DA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.2403024149.0000014DEADF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.2444029012.0000014DE9530000.00000004.00000800.00020000.00000000.sdmp	false		high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
http://www.inbox.lv/rfc2368/?value=%su	firefox.exe, 0000000E.00000003.2440036339.0000014DE8926000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2404786807.0000014DEA630000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2406666047.0000014DEA543000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2363836073.0000014DE8ACF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2406666047.0000014DEA54E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2298061926.0000014DE8AD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2298061926.0000014DE8AA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2294327430.0000014DE8753000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2269596569.0000014DE47DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2372851138.0000014DEB018000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2434068342.0000014DE9BDB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2409190623.0000014DE9568000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2442036984.0000014DE754A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2363836073.0000014DE8AD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2294327430.0000014DE87C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2370701470.0000014DE47D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2294327430.0000014DE873F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2372851138.0000014DEB00F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2407010815.0000014DE9BDB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2284308875.0000014DEAF9A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2452367296.0000014DE9BDB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2315825812.0000014DE82C3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.2405561053.0000014DEA620000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.2405561053.0000014DEA628000.00000004.00000800.00020000.00000000.sdmp	false		high
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false		high
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2401580895.0000014DEAF91000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2400261892.0000014DEFD90000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2284308875.0000014DEAF91000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2401580895.0000014DEAF91000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2400261892.0000014DEFD90000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2284308875.0000014DEAF91000.00000004.00000800.00020000.00000000.sdmp	false		high
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.2444029012.0000014DE9530000.00000004.00000800.00020000.00000000.sdmp	false		high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.2372851138.0000014DEB02A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2444029012.0000014DE9520000.00000004.00000800.00020000.00000000.sdmp	false		high
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000E.00000003.2449802858.0000014DEAF48000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000E.00000003.2410411915.0000014DE8F14000.00000004.00000800.00020000.00000000.sdmp	false		high
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.2440391673.0000014DE88BF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.2427165229.0000014DEA65E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2433450647.0000014DEA65E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2452264323.0000014DEA664000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2404786807.0000014DEA65E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2321270844.0000014DE8E2A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2320754655.0000014DE90FD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.2432850637.0000014DF0F5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2425028564.0000014DF0F5F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.2448902260.0000014DEF67C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000E.00000003.2423038851.0000014DF24AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2399236229.0000014DF24AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2454026441.0000014DF24AC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/user/preferences	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
https://screenshots.firefox.com/	firefox.exe, 0000000E.00000003.2263864221.0000014DE710F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/search	firefox.exe, 0000000E.00000003.2311224177.0000014DEF87C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2437151556.0000014DEF882000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2263229384.0000014DE6F00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2264288911.0000014DE7131000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2265663202.0000014DE7152000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2376205035.0000014DE87F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2439458468.0000014DE893B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2448528083.0000014DEF882000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2400729125.0000014DEF856000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2263864221.0000014DE710F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000E.00000003.2403024149.0000014DEADF2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://relay.firefox.com/api/v1/	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
http://json-schema.org/draft-07/schema#-	firefox.exe, 0000000E.00000003.2311224177.0000014DEF87C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2448528083.0000014DEF873000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2437151556.0000014DEF873000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2400729125.0000014DEF856000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high
https://topsites.services.mozilla.com/cid/	firefox.exe, 00000010.00000002.3484352895.0000016E2D550000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3484227858.0000024D59AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3480422099.0000013EFA460000.00000002.10000000.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
151.101.129.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
142.250.181.78	youtube.com	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561816
Start date and time:	2024-11-24 11:32:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@67/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 95% Number of executed functions: 41 Number of non-executed functions: 307
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.32.237.164, 34.209.229.249, 52.27.142.243, 172.217.17.42, 172.217.17.74, 172.217.17.78, 88.221.134.155, 88.221.134.209
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, incoming.telemetry.mozilla.org, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, azureedge-t-prod.trafficmanager.net, safebrowsing.googleapis.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 5208 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
05:33:22	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.129.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
FASTLYUS	zapret.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
	file.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	185.199.110.133
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	zgp.elf	Get hash	malicious	Mirai	Browse	56.101.120.102
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_8fb3b949-7fcf-48e1-bd50-adae5b1cbdb8.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7946
Entropy (8bit):	5.176401088147076
Encrypted:	false
SSDEEP:	192:JBMXKU/cbhbVbTbfbRbObtbyEl7nMrmJA6unSrDtTkdxSofZ:JizcNhnzFSJsrl1nSrDhkdxN
MD5:	FFCA99C7B722A0FFA9C9953B9CA0FA63
SHA1:	6292570EBCF01DF399D37E2EC437370BDA4CF0A9
SHA-256:	F9D9AC1C76F61826B0E3EBF499628E72F2D12A9400A546BCEE35D1180D892FAC
SHA-512:	CC23511945E476DCDE809E0A1F7532EEF8C70FA9674939DFE6F830B7B12C8CFF601ED8A61B512B91BCF31804EFE44A7F2A5C73D6BEF815D86A6AEE8407924368
Malicious:	false
Preview:	{"type":"uninstall","id":"8fb3b949-7fcf-48e1-bd50-adae5b1cbdb8","creationDate":"2024-11-24T12:20:20.395Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"7340e351-fad3-4a0f-b554-971fbfafe8fb","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_8fb3b949-7fcf-48e1-bd50-adae5b1cbdb8.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7946
Entropy (8bit):	5.176401088147076
Encrypted:	false
SSDEEP:	192:JBMXKU/cbhbVbTbfbRbObtbyEl7nMrmJA6unSrDtTkdxSofZ:JizcNhnzFSJsrl1nSrDhkdxN
MD5:	FFCA99C7B722A0FFA9C9953B9CA0FA63
SHA1:	6292570EBCF01DF399D37E2EC437370BDA4CF0A9
SHA-256:	F9D9AC1C76F61826B0E3EBF499628E72F2D12A9400A546BCEE35D1180D892FAC
SHA-512:	CC23511945E476DCDE809E0A1F7532EEF8C70FA9674939DFE6F830B7B12C8CFF601ED8A61B512B91BCF31804EFE44A7F2A5C73D6BEF815D86A6AEE8407924368
Malicious:	false
Preview:	{"type":"uninstall","id":"8fb3b949-7fcf-48e1-bd50-adae5b1cbdb8","creationDate":"2024-11-24T12:20:20.395Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"7340e351-fad3-4a0f-b554-971fbfafe8fb","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4419
Entropy (8bit):	4.931719962600714
Encrypted:	false
SSDEEP:	96:gXiNFS+OcPUFEOdwNIOdwBjvYVbsLJ28P:gXiNFS+OcUGOdwiOdwBjkYLJ28P
MD5:	2875BAD9968F0A90E8556728BD30F121
SHA1:	62E01C3A79662B922947AF3C58303D03AF215D09
SHA-256:	522E189066BCC95DF1A5E7FA7F27BB1E460E14BFE8828FF7CA62ED256D51EE66
SHA-512:	78E19D0F0E36CC6BE536C26A5C96D9518D816425364710C819A537271115513EAFE5FE24015C056AB2B507234B46780250D8E99DBE33313B1ED22800B1094EC3
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"treatment-a","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"enableBookmarksToolbar":"always"},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"d48f64a8-a4ab-4cdd-a650-4b386e41a201","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T06:20:35.557Z","featureIds":["bookmarks"],"prefs":[{"name":"browser.toolbars.bookmarks.visibility","branch":"user","featureId":"bookmarks","variable":"enableBookmarksToolbar","originalValue":null}],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4419
Entropy (8bit):	4.931719962600714
Encrypted:	false
SSDEEP:	96:gXiNFS+OcPUFEOdwNIOdwBjvYVbsLJ28P:gXiNFS+OcUGOdwiOdwBjkYLJ28P
MD5:	2875BAD9968F0A90E8556728BD30F121
SHA1:	62E01C3A79662B922947AF3C58303D03AF215D09
SHA-256:	522E189066BCC95DF1A5E7FA7F27BB1E460E14BFE8828FF7CA62ED256D51EE66
SHA-512:	78E19D0F0E36CC6BE536C26A5C96D9518D816425364710C819A537271115513EAFE5FE24015C056AB2B507234B46780250D8E99DBE33313B1ED22800B1094EC3
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"treatment-a","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"enableBookmarksToolbar":"always"},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"d48f64a8-a4ab-4cdd-a650-4b386e41a201","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T06:20:35.557Z","featureIds":["bookmarks"],"prefs":[{"name":"browser.toolbars.bookmarks.visibility","branch":"user","featureId":"bookmarks","variable":"enableBookmarksToolbar","originalValue":null}],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 26944 bytes
Category:	dropped
Size (bytes):	6071
Entropy (8bit):	6.61263436125208
Encrypted:	false
SSDEEP:	96:72YbKsKNU2xWrp327tGmD4wBON6hCY9rI7hlSAJVrfzjZXjkTndS12opTaM:7Tx2x2t0FDJ4NF6ILDfzjtedh6TX
MD5:	FD36D36BC5077FC3D16CD68CC7FFC65A
SHA1:	2111D7339EA8F94FC7F4F8E2964ABDBE6198F90B
SHA-256:	3A65636ABBCBF9BC2447FEA1BCE9BFC0E6DACD10D5721D21D670A537FFF0D545
SHA-512:	074547A0C2D572BA22D27A4EC3A0957C27B72E732D0ED37501C30A9657CAD258584819D3A92215B52638888D9FC0682E871F454B0ECBFC75373CBAE38DA4D656
Malicious:	false
Preview:	mozLz40.@i....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 26944 bytes
Category:	dropped
Size (bytes):	6071
Entropy (8bit):	6.61263436125208
Encrypted:	false
SSDEEP:	96:72YbKsKNU2xWrp327tGmD4wBON6hCY9rI7hlSAJVrfzjZXjkTndS12opTaM:7Tx2x2t0FDJ4NF6ILDfzjtedh6TX
MD5:	FD36D36BC5077FC3D16CD68CC7FFC65A
SHA1:	2111D7339EA8F94FC7F4F8E2964ABDBE6198F90B
SHA-256:	3A65636ABBCBF9BC2447FEA1BCE9BFC0E6DACD10D5721D21D670A537FFF0D545
SHA-512:	074547A0C2D572BA22D27A4EC3A0957C27B72E732D0ED37501C30A9657CAD258584819D3A92215B52638888D9FC0682E871F454B0ECBFC75373CBAE38DA4D656
Malicious:	false
Preview:	mozLz40.@i....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185052013683835
Encrypted:	false
SSDEEP:	768:AI4wvfCXh496G4C4U1W4z4xuHhvp4N4Tc4Z4S4t24U:AruBv3
MD5:	10E2D85FEF0DB266E519048D63617FA8
SHA1:	EBB307C44EBEFFA271AC58FDDE5C3A1BA52AE7B0
SHA-256:	92143A48F55639B5BD01385D0E4E78EDED4F84401A91C12AC06251EE188CFE0E
SHA-512:	164CBE725B44020AD40D165A1B1C242A7016ED8933AB9502D0D38E6CD99887D9DF49533DE54068AA4E5D8476C7791B52518A8477B8961475B7CB2C3AF54B81B1
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{87ef1fa3-cb84-4bbf-a615-45a1d14b629d}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185052013683835
Encrypted:	false
SSDEEP:	768:AI4wvfCXh496G4C4U1W4z4xuHhvp4N4Tc4Z4S4t24U:AruBv3
MD5:	10E2D85FEF0DB266E519048D63617FA8
SHA1:	EBB307C44EBEFFA271AC58FDDE5C3A1BA52AE7B0
SHA-256:	92143A48F55639B5BD01385D0E4E78EDED4F84401A91C12AC06251EE188CFE0E
SHA-512:	164CBE725B44020AD40D165A1B1C242A7016ED8933AB9502D0D38E6CD99887D9DF49533DE54068AA4E5D8476C7791B52518A8477B8961475B7CB2C3AF54B81B1
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{87ef1fa3-cb84-4bbf-a615-45a1d14b629d}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07328317133069709
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkihz:DLhesh7Owd4+jihz
MD5:	C71F1D279D8AE9946015530B6F1445DA
SHA1:	E27881E4DBD12C03F50404C55B700D784CE8BC55
SHA-256:	0CB7199A8B0E017E5807F7B443D065513CDBA617C46BD479B53020B41BA4C0F8
SHA-512:	D09478D7029F71239F63C88B7CEAAD14F9E6D433BFE5B6AC34568C61518939AE73B691CBB7C20F76693DC28C90E505016C79466C9CCB02733BEBD1AA9D52F8E3
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035699946889726504
Encrypted:	false
SSDEEP:	3:GtlstFseTe2QEVttlstFseTe2QEG/J89//alEl:GtWtueTbxtWtueTbAx89XuM
MD5:	F2ADA82CA9A6EFD3FA54590C60E4638D
SHA1:	CFB4ED3ABBAA6941AFA542423AA2203022341FFE
SHA-256:	F926AB07AA5C2450BAAD5F3ED7234B8174AF34C7FF56D4ECE9DDDF8C6C76E7F7
SHA-512:	557DF2F31E2823F94ABAFB2B979E34546DDDA326405AE672A8D45AB49E792204DFCC7E224DF8E09CE8F2270D65A1618169A9FC545361158065B6A92C9A3BDC30
Malicious:	false
Preview:	..-.....................{w.:.V....x.....d..b..-.....................{w.:.V....x.....d..b........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.035083953161994426
Encrypted:	false
SSDEEP:	3:Ol1eZU3wDjBvXtBglx5SrV//mwl8XW3R2:K2UmBtBgspuw93w
MD5:	18F45364C94BDF65255E559B9036C4F4
SHA1:	BF66C1F309E327132DEB80C9AD509E1E3C5607A4
SHA-256:	7E1E1F60ABAAFDD4F5D55DEF7DF092B606FFD439E0A295B580AF418842264EED
SHA-512:	9D80594BF886E951EFBCCD29F8490E12768050ACCA949925C70BC3E9FBA95DD325B9E40D875FA987CE854C313F83880A1ADF532CC95D43F94C57D1D475953487
Malicious:	false
Preview:	7....-.............x...\|.................x....w{.V.:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1717), with CRLF line terminators
Category:	dropped
Size (bytes):	14081
Entropy (8bit):	5.4677187681646995
Encrypted:	false
SSDEEP:	192:IwnTFTRRUYbBp6NLZNMGaXnR6qU49Hzy+/3/7JZ5RYiNBw8d5Sl:TKewFNMkGTyCfdwW0
MD5:	B29D3BE50C181B621CE8A007923AFF0A
SHA1:	98BDA8CF80B4B66C2050DC0459064C3E0497772D
SHA-256:	DE1A860DCF2751F19E40C49E7CB466859DE591E159CBFD7CB234BEB7FFC70C0F
SHA-512:	449AA1E7EB4BDE78BE8D9F26AB44F8F03428F373D854C5A7397A531E5D8660AD0DD26FD03A376E9699A53106FF3AF89EB16241EE6224A9258BB88F6B3ABF6698
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732450790);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732450790);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732450790);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173245

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1717), with CRLF line terminators
Category:	dropped
Size (bytes):	14081
Entropy (8bit):	5.4677187681646995
Encrypted:	false
SSDEEP:	192:IwnTFTRRUYbBp6NLZNMGaXnR6qU49Hzy+/3/7JZ5RYiNBw8d5Sl:TKewFNMkGTyCfdwW0
MD5:	B29D3BE50C181B621CE8A007923AFF0A
SHA1:	98BDA8CF80B4B66C2050DC0459064C3E0497772D
SHA-256:	DE1A860DCF2751F19E40C49E7CB466859DE591E159CBFD7CB234BEB7FFC70C0F
SHA-512:	449AA1E7EB4BDE78BE8D9F26AB44F8F03428F373D854C5A7397A531E5D8660AD0DD26FD03A376E9699A53106FF3AF89EB16241EE6224A9258BB88F6B3ABF6698
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732450790);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732450790);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732450790);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173245

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	6.333624851350817
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSO5LXnIgH/pnxQwRlszT5sKLx3eHVvwKXTNamhujJmyOOxmOmaoRh4:GUpOxd5pnR613eNwCTN4JNKRh4
MD5:	510D2764A8A31961DA2FFAD8F7A1E500
SHA1:	7B5BD15F2F91A616065012EB9A320A5B62D2C1F9
SHA-256:	84FD94DE9A484E9434265F19C9A120F75571CB5C961C3402E8F06B64DA038409
SHA-512:	46F482E997F1C0B4B857573DEC4F813A11E4F7CC3FE0ADBF5790793452BF86B111C57D059426372FAA59AEBB1AA1295EEEF114C7F46A50B496C859E8B7EC0049
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{6e395ce2-d377-40e2-9ed3-f2ced56a9eb3}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732450795155,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P60093...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...66041,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	6.333624851350817
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSO5LXnIgH/pnxQwRlszT5sKLx3eHVvwKXTNamhujJmyOOxmOmaoRh4:GUpOxd5pnR613eNwCTN4JNKRh4
MD5:	510D2764A8A31961DA2FFAD8F7A1E500
SHA1:	7B5BD15F2F91A616065012EB9A320A5B62D2C1F9
SHA-256:	84FD94DE9A484E9434265F19C9A120F75571CB5C961C3402E8F06B64DA038409
SHA-512:	46F482E997F1C0B4B857573DEC4F813A11E4F7CC3FE0ADBF5790793452BF86B111C57D059426372FAA59AEBB1AA1295EEEF114C7F46A50B496C859E8B7EC0049
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{6e395ce2-d377-40e2-9ed3-f2ced56a9eb3}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732450795155,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P60093...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...66041,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	6.333624851350817
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSO5LXnIgH/pnxQwRlszT5sKLx3eHVvwKXTNamhujJmyOOxmOmaoRh4:GUpOxd5pnR613eNwCTN4JNKRh4
MD5:	510D2764A8A31961DA2FFAD8F7A1E500
SHA1:	7B5BD15F2F91A616065012EB9A320A5B62D2C1F9
SHA-256:	84FD94DE9A484E9434265F19C9A120F75571CB5C961C3402E8F06B64DA038409
SHA-512:	46F482E997F1C0B4B857573DEC4F813A11E4F7CC3FE0ADBF5790793452BF86B111C57D059426372FAA59AEBB1AA1295EEEF114C7F46A50B496C859E8B7EC0049
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{6e395ce2-d377-40e2-9ed3-f2ced56a9eb3}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732450795155,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P60093...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...66041,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 4, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.042811512334329
Encrypted:	false
SSDEEP:	24:JBkSldh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jkSWEUo9LXtR+JdkOnohYsl
MD5:	21235938025E2102017AC8C9748948A4
SHA1:	A1EED1C4588724A8396C95FC9923C0A33B360FF8
SHA-256:	E34B06B180E3F73DC8E441650BB7FE694A9D58E927412D6ED40B0852B784824E
SHA-512:	D334B419A2A75179C17D7F53BF65FCC132ADE03B21059F0007ACDBB08284A281D8CE1C1CC598E6A070024D0DAE158E2E9618E121342BE068E87A051FE33D6061
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.008616752671785
Encrypted:	false
SSDEEP:	48:YrSAYuHqUQZpExB1+anOdW6VhOGVpWJzzcsYMsku7f86SLAVL775FtsfAcbyJFde:ycuCTEr5NfJzzcBvbw6Kkvrc2Rn27
MD5:	3B2BB0E8A58DA7D6DF84D631AC97F5E0
SHA1:	887F8FBAAD1FEEA10D134C3F42E684773E9CAA4A
SHA-256:	972DAB5F494EC026A37126C541F1F56EF3F8B84894164B62A600F5AAA51A8477
SHA-512:	370F5E0FC645162D840392C97002FDF06408F100C823337D08227CCEB024A7E92358B7E75238E4256BD054F807FDEB6901B85CF62E812F0F72A8E8C301F2F903
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-24T12:19:35.820Z","profileAgeCreated":1696486829272,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.008616752671785
Encrypted:	false
SSDEEP:	48:YrSAYuHqUQZpExB1+anOdW6VhOGVpWJzzcsYMsku7f86SLAVL775FtsfAcbyJFde:ycuCTEr5NfJzzcBvbw6Kkvrc2Rn27
MD5:	3B2BB0E8A58DA7D6DF84D631AC97F5E0
SHA1:	887F8FBAAD1FEEA10D134C3F42E684773E9CAA4A
SHA-256:	972DAB5F494EC026A37126C541F1F56EF3F8B84894164B62A600F5AAA51A8477
SHA-512:	370F5E0FC645162D840392C97002FDF06408F100C823337D08227CCEB024A7E92358B7E75238E4256BD054F807FDEB6901B85CF62E812F0F72A8E8C301F2F903
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-24T12:19:35.820Z","profileAgeCreated":1696486829272,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.593698379502536
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	923'136 bytes
MD5:	9f60bc3ce0041ca8d6665c3d7be1c33f
SHA1:	c785f145cf223a6f247c2336815eea81a702adbe
SHA256:	dcc77a8377b2848695569a7e8a5b9468416da8d07d94c136449843e59e2e492f
SHA512:	5fbdf92f080336cbdd30854e7adf2b4e1d27cc3cf4238d44b2bae12b98dabce6dc7afaf3e6403fbecffdeb2e78ec27dbc92561210e1888b331960f099571bf74
SSDEEP:	24576:3qDEvCTbMWu7rQYlBQcBiT6rprG8a9qt:3TvC/MTQYxsWR7a9q
TLSH:	F3159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13A81D79BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6742FF39 [Sun Nov 24 10:26:01 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F2E847F2CA3h
jmp 00007F2E847F25AFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F2E847F278Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F2E847F275Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F2E847F534Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F2E847F5398h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F2E847F5381h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xaa0c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdf000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xaa0c	0xac00	6961cc1fb1c42fb761bd0e102f63dd73	False	0.3749545784883721	data	5.688494198752477	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdf000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x1cd4	data			1.001490514905149
RT_GROUP_ICON	0xde48c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xde504	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xde518	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xde52c	0x14	data	English	Great Britain	1.25
RT_VERSION	0xde540	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xde61c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 11:33:18.720782995 CET	49735	443	192.168.2.6	35.190.72.216
Nov 24, 2024 11:33:18.720840931 CET	443	49735	35.190.72.216	192.168.2.6
Nov 24, 2024 11:33:18.722989082 CET	49735	443	192.168.2.6	35.190.72.216
Nov 24, 2024 11:33:18.727291107 CET	49735	443	192.168.2.6	35.190.72.216
Nov 24, 2024 11:33:18.727309942 CET	443	49735	35.190.72.216	192.168.2.6
Nov 24, 2024 11:33:19.264611006 CET	49739	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:19.266539097 CET	49740	443	192.168.2.6	142.250.181.78
Nov 24, 2024 11:33:19.266578913 CET	443	49740	142.250.181.78	192.168.2.6
Nov 24, 2024 11:33:19.266661882 CET	49741	443	192.168.2.6	142.250.181.78
Nov 24, 2024 11:33:19.266685963 CET	443	49741	142.250.181.78	192.168.2.6
Nov 24, 2024 11:33:19.266926050 CET	49740	443	192.168.2.6	142.250.181.78
Nov 24, 2024 11:33:19.266984940 CET	49741	443	192.168.2.6	142.250.181.78
Nov 24, 2024 11:33:19.268553019 CET	49740	443	192.168.2.6	142.250.181.78
Nov 24, 2024 11:33:19.268570900 CET	443	49740	142.250.181.78	192.168.2.6
Nov 24, 2024 11:33:19.269889116 CET	49741	443	192.168.2.6	142.250.181.78
Nov 24, 2024 11:33:19.269926071 CET	443	49741	142.250.181.78	192.168.2.6
Nov 24, 2024 11:33:19.384978056 CET	80	49739	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:19.385817051 CET	49739	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:19.385986090 CET	49739	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:19.505537033 CET	80	49739	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:19.990086079 CET	443	49735	35.190.72.216	192.168.2.6
Nov 24, 2024 11:33:19.996776104 CET	49735	443	192.168.2.6	35.190.72.216
Nov 24, 2024 11:33:20.362396002 CET	49742	443	192.168.2.6	34.117.188.166
Nov 24, 2024 11:33:20.362425089 CET	443	49742	34.117.188.166	192.168.2.6
Nov 24, 2024 11:33:20.367474079 CET	49742	443	192.168.2.6	34.117.188.166
Nov 24, 2024 11:33:20.367521048 CET	49735	443	192.168.2.6	35.190.72.216
Nov 24, 2024 11:33:20.367538929 CET	443	49735	35.190.72.216	192.168.2.6
Nov 24, 2024 11:33:20.367662907 CET	49735	443	192.168.2.6	35.190.72.216
Nov 24, 2024 11:33:20.367831945 CET	443	49735	35.190.72.216	192.168.2.6
Nov 24, 2024 11:33:20.369137049 CET	49742	443	192.168.2.6	34.117.188.166
Nov 24, 2024 11:33:20.369149923 CET	443	49742	34.117.188.166	192.168.2.6
Nov 24, 2024 11:33:20.369594097 CET	49735	443	192.168.2.6	35.190.72.216
Nov 24, 2024 11:33:20.502254963 CET	49744	443	192.168.2.6	34.117.188.166
Nov 24, 2024 11:33:20.502278090 CET	443	49744	34.117.188.166	192.168.2.6
Nov 24, 2024 11:33:20.502598047 CET	49744	443	192.168.2.6	34.117.188.166
Nov 24, 2024 11:33:20.504342079 CET	49744	443	192.168.2.6	34.117.188.166
Nov 24, 2024 11:33:20.504357100 CET	443	49744	34.117.188.166	192.168.2.6
Nov 24, 2024 11:33:20.518558025 CET	49745	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:20.518589020 CET	443	49745	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:20.519347906 CET	49745	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:20.519510984 CET	49745	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:20.519524097 CET	443	49745	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:20.523361921 CET	80	49739	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:20.604286909 CET	49739	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:20.629236937 CET	49747	443	192.168.2.6	34.160.144.191
Nov 24, 2024 11:33:20.629259109 CET	443	49747	34.160.144.191	192.168.2.6
Nov 24, 2024 11:33:20.630465031 CET	49747	443	192.168.2.6	34.160.144.191
Nov 24, 2024 11:33:20.630645990 CET	49747	443	192.168.2.6	34.160.144.191
Nov 24, 2024 11:33:20.630661011 CET	443	49747	34.160.144.191	192.168.2.6
Nov 24, 2024 11:33:20.723721027 CET	49750	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:20.843588114 CET	80	49750	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:20.846653938 CET	49750	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:20.846801996 CET	49750	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:20.966320992 CET	80	49750	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:21.076189041 CET	443	49741	142.250.181.78	192.168.2.6
Nov 24, 2024 11:33:21.076287985 CET	49741	443	192.168.2.6	142.250.181.78
Nov 24, 2024 11:33:21.077075958 CET	443	49740	142.250.181.78	192.168.2.6
Nov 24, 2024 11:33:21.077193975 CET	443	49741	142.250.181.78	192.168.2.6
Nov 24, 2024 11:33:21.077198982 CET	49740	443	192.168.2.6	142.250.181.78
Nov 24, 2024 11:33:21.077331066 CET	49741	443	192.168.2.6	142.250.181.78
Nov 24, 2024 11:33:21.077779055 CET	443	49740	142.250.181.78	192.168.2.6
Nov 24, 2024 11:33:21.077831984 CET	49740	443	192.168.2.6	142.250.181.78
Nov 24, 2024 11:33:21.083112001 CET	49740	443	192.168.2.6	142.250.181.78
Nov 24, 2024 11:33:21.083123922 CET	443	49740	142.250.181.78	192.168.2.6
Nov 24, 2024 11:33:21.083216906 CET	49740	443	192.168.2.6	142.250.181.78
Nov 24, 2024 11:33:21.083381891 CET	443	49740	142.250.181.78	192.168.2.6
Nov 24, 2024 11:33:21.083765984 CET	49740	443	192.168.2.6	142.250.181.78
Nov 24, 2024 11:33:21.086148024 CET	49741	443	192.168.2.6	142.250.181.78
Nov 24, 2024 11:33:21.086157084 CET	443	49741	142.250.181.78	192.168.2.6
Nov 24, 2024 11:33:21.086199045 CET	49741	443	192.168.2.6	142.250.181.78
Nov 24, 2024 11:33:21.086458921 CET	443	49741	142.250.181.78	192.168.2.6
Nov 24, 2024 11:33:21.087482929 CET	49741	443	192.168.2.6	142.250.181.78
Nov 24, 2024 11:33:21.364073038 CET	49739	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:21.483546019 CET	80	49739	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:21.653023005 CET	443	49742	34.117.188.166	192.168.2.6
Nov 24, 2024 11:33:21.653099060 CET	49742	443	192.168.2.6	34.117.188.166
Nov 24, 2024 11:33:21.657063007 CET	49742	443	192.168.2.6	34.117.188.166
Nov 24, 2024 11:33:21.657073975 CET	443	49742	34.117.188.166	192.168.2.6
Nov 24, 2024 11:33:21.657183886 CET	49742	443	192.168.2.6	34.117.188.166
Nov 24, 2024 11:33:21.657247066 CET	443	49742	34.117.188.166	192.168.2.6
Nov 24, 2024 11:33:21.657548904 CET	49753	443	192.168.2.6	34.117.188.166
Nov 24, 2024 11:33:21.657592058 CET	443	49753	34.117.188.166	192.168.2.6
Nov 24, 2024 11:33:21.657594919 CET	49742	443	192.168.2.6	34.117.188.166
Nov 24, 2024 11:33:21.657655001 CET	49753	443	192.168.2.6	34.117.188.166
Nov 24, 2024 11:33:21.659017086 CET	49753	443	192.168.2.6	34.117.188.166
Nov 24, 2024 11:33:21.659034014 CET	443	49753	34.117.188.166	192.168.2.6
Nov 24, 2024 11:33:21.689513922 CET	80	49739	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:21.786221981 CET	443	49744	34.117.188.166	192.168.2.6
Nov 24, 2024 11:33:21.786391020 CET	49744	443	192.168.2.6	34.117.188.166
Nov 24, 2024 11:33:21.793294907 CET	49744	443	192.168.2.6	34.117.188.166
Nov 24, 2024 11:33:21.793334007 CET	443	49744	34.117.188.166	192.168.2.6
Nov 24, 2024 11:33:21.793385029 CET	49744	443	192.168.2.6	34.117.188.166
Nov 24, 2024 11:33:21.793486118 CET	443	49744	34.117.188.166	192.168.2.6
Nov 24, 2024 11:33:21.793824911 CET	49744	443	192.168.2.6	34.117.188.166
Nov 24, 2024 11:33:21.795265913 CET	443	49745	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:21.796540022 CET	49745	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:21.799695969 CET	49745	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:21.799710035 CET	443	49745	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:21.800025940 CET	443	49745	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:21.802041054 CET	49745	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:21.802136898 CET	49745	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:21.802192926 CET	443	49745	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:21.802267075 CET	49745	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:21.807750940 CET	49739	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:21.873081923 CET	443	49747	34.160.144.191	192.168.2.6
Nov 24, 2024 11:33:21.877108097 CET	49747	443	192.168.2.6	34.160.144.191
Nov 24, 2024 11:33:21.880067110 CET	49747	443	192.168.2.6	34.160.144.191
Nov 24, 2024 11:33:21.880076885 CET	443	49747	34.160.144.191	192.168.2.6
Nov 24, 2024 11:33:21.880590916 CET	443	49747	34.160.144.191	192.168.2.6
Nov 24, 2024 11:33:21.881994963 CET	49747	443	192.168.2.6	34.160.144.191
Nov 24, 2024 11:33:21.882077932 CET	49747	443	192.168.2.6	34.160.144.191
Nov 24, 2024 11:33:21.882236958 CET	443	49747	34.160.144.191	192.168.2.6
Nov 24, 2024 11:33:21.882313013 CET	49747	443	192.168.2.6	34.160.144.191
Nov 24, 2024 11:33:21.882479906 CET	49747	443	192.168.2.6	34.160.144.191
Nov 24, 2024 11:33:21.960566044 CET	49750	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:21.988208055 CET	80	49750	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:21.988272905 CET	49750	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:22.080439091 CET	80	49750	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:22.080881119 CET	49750	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:22.524334908 CET	49739	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:22.528713942 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:22.644133091 CET	80	49739	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:22.644221067 CET	49739	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:22.648268938 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:22.648351908 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:22.648533106 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:22.659347057 CET	49755	443	192.168.2.6	34.117.188.166
Nov 24, 2024 11:33:22.659379005 CET	443	49755	34.117.188.166	192.168.2.6
Nov 24, 2024 11:33:22.663495064 CET	49755	443	192.168.2.6	34.117.188.166
Nov 24, 2024 11:33:22.665036917 CET	49755	443	192.168.2.6	34.117.188.166
Nov 24, 2024 11:33:22.665059090 CET	443	49755	34.117.188.166	192.168.2.6
Nov 24, 2024 11:33:22.665543079 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:22.768165112 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:22.785010099 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:22.785141945 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:22.785307884 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:22.904803038 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:22.930727959 CET	443	49753	34.117.188.166	192.168.2.6
Nov 24, 2024 11:33:22.939342022 CET	443	49753	34.117.188.166	192.168.2.6
Nov 24, 2024 11:33:22.944667101 CET	49753	443	192.168.2.6	34.117.188.166
Nov 24, 2024 11:33:22.944786072 CET	49753	443	192.168.2.6	34.117.188.166
Nov 24, 2024 11:33:22.953435898 CET	49753	443	192.168.2.6	34.117.188.166
Nov 24, 2024 11:33:22.953440905 CET	443	49753	34.117.188.166	192.168.2.6
Nov 24, 2024 11:33:22.953517914 CET	49753	443	192.168.2.6	34.117.188.166
Nov 24, 2024 11:33:22.953645945 CET	443	49753	34.117.188.166	192.168.2.6
Nov 24, 2024 11:33:22.958334923 CET	49753	443	192.168.2.6	34.117.188.166
Nov 24, 2024 11:33:23.543824911 CET	49763	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:23.543886900 CET	443	49763	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:23.544290066 CET	49763	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:23.544480085 CET	49763	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:23.544500113 CET	443	49763	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:23.712347984 CET	49764	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:33:23.712404966 CET	443	49764	34.107.243.93	192.168.2.6
Nov 24, 2024 11:33:23.712480068 CET	49764	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:33:23.713999033 CET	49764	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:33:23.714011908 CET	443	49764	34.107.243.93	192.168.2.6
Nov 24, 2024 11:33:23.764106035 CET	49766	443	192.168.2.6	34.149.100.209
Nov 24, 2024 11:33:23.764133930 CET	443	49766	34.149.100.209	192.168.2.6
Nov 24, 2024 11:33:23.764250040 CET	49766	443	192.168.2.6	34.149.100.209
Nov 24, 2024 11:33:23.765728951 CET	49766	443	192.168.2.6	34.149.100.209
Nov 24, 2024 11:33:23.765742064 CET	443	49766	34.149.100.209	192.168.2.6
Nov 24, 2024 11:33:23.766839027 CET	49767	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:23.766865015 CET	443	49767	34.120.208.123	192.168.2.6
Nov 24, 2024 11:33:23.767050028 CET	49767	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:23.768467903 CET	49767	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:23.768482924 CET	443	49767	34.120.208.123	192.168.2.6
Nov 24, 2024 11:33:23.787379980 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:23.851331949 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:23.899643898 CET	443	49755	34.117.188.166	192.168.2.6
Nov 24, 2024 11:33:23.903429985 CET	49755	443	192.168.2.6	34.117.188.166
Nov 24, 2024 11:33:23.907514095 CET	49755	443	192.168.2.6	34.117.188.166
Nov 24, 2024 11:33:23.907536030 CET	443	49755	34.117.188.166	192.168.2.6
Nov 24, 2024 11:33:23.907603979 CET	49755	443	192.168.2.6	34.117.188.166
Nov 24, 2024 11:33:23.907754898 CET	443	49755	34.117.188.166	192.168.2.6
Nov 24, 2024 11:33:23.908113003 CET	49755	443	192.168.2.6	34.117.188.166
Nov 24, 2024 11:33:23.933413029 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:23.982884884 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:24.029105902 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:24.031919003 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:24.148672104 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:24.151499033 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:24.355638981 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:24.359901905 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:24.399663925 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:24.415478945 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:24.769929886 CET	443	49763	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:24.770076990 CET	49763	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:24.905850887 CET	49763	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:24.905957937 CET	443	49763	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:24.906397104 CET	443	49763	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:24.908601999 CET	49763	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:24.908683062 CET	49763	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:24.908899069 CET	443	49763	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:24.908982992 CET	49763	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:25.000853062 CET	443	49766	34.149.100.209	192.168.2.6
Nov 24, 2024 11:33:25.000952959 CET	49766	443	192.168.2.6	34.149.100.209
Nov 24, 2024 11:33:25.039355040 CET	49766	443	192.168.2.6	34.149.100.209
Nov 24, 2024 11:33:25.039374113 CET	443	49766	34.149.100.209	192.168.2.6
Nov 24, 2024 11:33:25.039551973 CET	49766	443	192.168.2.6	34.149.100.209
Nov 24, 2024 11:33:25.039905071 CET	443	49766	34.149.100.209	192.168.2.6
Nov 24, 2024 11:33:25.039989948 CET	49766	443	192.168.2.6	34.149.100.209
Nov 24, 2024 11:33:25.045418978 CET	443	49764	34.107.243.93	192.168.2.6
Nov 24, 2024 11:33:25.045511961 CET	49764	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:33:25.050102949 CET	49764	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:33:25.050115108 CET	443	49764	34.107.243.93	192.168.2.6
Nov 24, 2024 11:33:25.050172091 CET	49764	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:33:25.050371885 CET	443	49764	34.107.243.93	192.168.2.6
Nov 24, 2024 11:33:25.050493956 CET	49764	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:33:25.106442928 CET	443	49767	34.120.208.123	192.168.2.6
Nov 24, 2024 11:33:25.106529951 CET	49767	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:25.112452030 CET	49767	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:25.112471104 CET	443	49767	34.120.208.123	192.168.2.6
Nov 24, 2024 11:33:25.112556934 CET	49767	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:25.112668037 CET	443	49767	34.120.208.123	192.168.2.6
Nov 24, 2024 11:33:25.113007069 CET	49767	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:26.432373047 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:26.500797987 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:26.551955938 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:26.620368958 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:26.755646944 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:26.798928976 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:26.830261946 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:26.894959927 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:27.074477911 CET	49773	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:27.074528933 CET	443	49773	34.120.208.123	192.168.2.6
Nov 24, 2024 11:33:27.074948072 CET	49773	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:27.076421022 CET	49773	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:27.076433897 CET	443	49773	34.120.208.123	192.168.2.6
Nov 24, 2024 11:33:28.464700937 CET	443	49773	34.120.208.123	192.168.2.6
Nov 24, 2024 11:33:28.464778900 CET	49773	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:28.469872952 CET	49773	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:28.469882965 CET	443	49773	34.120.208.123	192.168.2.6
Nov 24, 2024 11:33:28.469969034 CET	49773	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:28.470026016 CET	443	49773	34.120.208.123	192.168.2.6
Nov 24, 2024 11:33:28.470097065 CET	49773	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:30.873658895 CET	49785	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:30.873698950 CET	443	49785	34.120.208.123	192.168.2.6
Nov 24, 2024 11:33:30.874018908 CET	49786	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:30.874063969 CET	443	49786	34.120.208.123	192.168.2.6
Nov 24, 2024 11:33:30.875597954 CET	49786	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:30.875601053 CET	49785	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:30.875690937 CET	49785	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:30.875699997 CET	443	49785	34.120.208.123	192.168.2.6
Nov 24, 2024 11:33:30.875869989 CET	49786	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:30.875883102 CET	443	49786	34.120.208.123	192.168.2.6
Nov 24, 2024 11:33:32.133785009 CET	443	49785	34.120.208.123	192.168.2.6
Nov 24, 2024 11:33:32.133876085 CET	49785	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:32.134576082 CET	443	49786	34.120.208.123	192.168.2.6
Nov 24, 2024 11:33:32.134707928 CET	49786	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:32.320735931 CET	49785	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:32.320759058 CET	443	49785	34.120.208.123	192.168.2.6
Nov 24, 2024 11:33:32.321080923 CET	443	49785	34.120.208.123	192.168.2.6
Nov 24, 2024 11:33:32.323044062 CET	49786	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:32.323060989 CET	443	49786	34.120.208.123	192.168.2.6
Nov 24, 2024 11:33:32.323143005 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:32.323369980 CET	443	49786	34.120.208.123	192.168.2.6
Nov 24, 2024 11:33:32.329969883 CET	49785	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:32.330064058 CET	49785	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:32.330163956 CET	443	49785	34.120.208.123	192.168.2.6
Nov 24, 2024 11:33:32.330370903 CET	49786	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:32.330391884 CET	49786	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:32.330555916 CET	443	49786	34.120.208.123	192.168.2.6
Nov 24, 2024 11:33:32.337070942 CET	49785	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:32.337095022 CET	49786	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:32.433922052 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:32.442409992 CET	49794	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:32.442482948 CET	443	49794	34.120.208.123	192.168.2.6
Nov 24, 2024 11:33:32.442867041 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:32.449945927 CET	49794	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:32.451255083 CET	49794	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:32.451268911 CET	443	49794	34.120.208.123	192.168.2.6
Nov 24, 2024 11:33:32.553751945 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:32.646939993 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:32.697134972 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:32.757978916 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:32.813183069 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:33.131228924 CET	49795	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:33:33.131283998 CET	443	49795	34.107.243.93	192.168.2.6
Nov 24, 2024 11:33:33.134265900 CET	49795	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:33:33.135710955 CET	49795	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:33:33.135725975 CET	443	49795	34.107.243.93	192.168.2.6
Nov 24, 2024 11:33:33.141562939 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:33.262219906 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:33.466204882 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:33.515178919 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:33.754719973 CET	443	49794	34.120.208.123	192.168.2.6
Nov 24, 2024 11:33:33.754735947 CET	443	49794	34.120.208.123	192.168.2.6
Nov 24, 2024 11:33:33.756217003 CET	49794	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:34.020945072 CET	49794	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:34.020960093 CET	443	49794	34.120.208.123	192.168.2.6
Nov 24, 2024 11:33:34.021078110 CET	49794	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:34.021189928 CET	443	49794	34.120.208.123	192.168.2.6
Nov 24, 2024 11:33:34.021416903 CET	49794	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:33:34.114923000 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:34.234422922 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:34.446424007 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:34.451834917 CET	443	49795	34.107.243.93	192.168.2.6
Nov 24, 2024 11:33:34.451921940 CET	49795	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:33:34.486839056 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:34.892355919 CET	49795	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:33:34.892373085 CET	443	49795	34.107.243.93	192.168.2.6
Nov 24, 2024 11:33:34.892455101 CET	49795	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:33:34.892597914 CET	443	49795	34.107.243.93	192.168.2.6
Nov 24, 2024 11:33:34.897187948 CET	49795	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:33:35.758536100 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:35.760113001 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:35.878232002 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:35.879580975 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:36.082082987 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:36.084472895 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:36.122678995 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:36.138293028 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:36.690210104 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:36.811079979 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:37.013834000 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:37.063172102 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:43.606689930 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:43.726442099 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:43.930792093 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:43.935929060 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:43.983339071 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:44.056685925 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:44.272629023 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:44.315682888 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:45.091641903 CET	49825	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:33:45.091706038 CET	443	49825	34.107.243.93	192.168.2.6
Nov 24, 2024 11:33:45.092066050 CET	49825	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:33:45.093440056 CET	49825	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:33:45.093461037 CET	443	49825	34.107.243.93	192.168.2.6
Nov 24, 2024 11:33:46.362379074 CET	443	49825	34.107.243.93	192.168.2.6
Nov 24, 2024 11:33:46.362464905 CET	49825	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:33:46.368141890 CET	49825	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:33:46.368148088 CET	443	49825	34.107.243.93	192.168.2.6
Nov 24, 2024 11:33:46.368299961 CET	443	49825	34.107.243.93	192.168.2.6
Nov 24, 2024 11:33:46.368302107 CET	49825	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:33:46.368313074 CET	443	49825	34.107.243.93	192.168.2.6
Nov 24, 2024 11:33:46.371210098 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:46.491189957 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:46.579325914 CET	443	49825	34.107.243.93	192.168.2.6
Nov 24, 2024 11:33:46.579386950 CET	49825	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:33:46.695260048 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:46.702065945 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:46.753763914 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:46.761998892 CET	49830	443	192.168.2.6	34.149.100.209
Nov 24, 2024 11:33:46.762034893 CET	443	49830	34.149.100.209	192.168.2.6
Nov 24, 2024 11:33:46.762351036 CET	49830	443	192.168.2.6	34.149.100.209
Nov 24, 2024 11:33:46.762479067 CET	49830	443	192.168.2.6	34.149.100.209
Nov 24, 2024 11:33:46.762487888 CET	443	49830	34.149.100.209	192.168.2.6
Nov 24, 2024 11:33:46.794873953 CET	49831	443	192.168.2.6	35.190.72.216
Nov 24, 2024 11:33:46.794900894 CET	443	49831	35.190.72.216	192.168.2.6
Nov 24, 2024 11:33:46.799360037 CET	49831	443	192.168.2.6	35.190.72.216
Nov 24, 2024 11:33:46.800796032 CET	49831	443	192.168.2.6	35.190.72.216
Nov 24, 2024 11:33:46.800806046 CET	443	49831	35.190.72.216	192.168.2.6
Nov 24, 2024 11:33:46.821549892 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:46.898000956 CET	49832	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:46.898041010 CET	443	49832	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:46.900480986 CET	49832	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:46.900598049 CET	49832	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:46.900608063 CET	443	49832	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:46.901413918 CET	49833	443	192.168.2.6	151.101.129.91
Nov 24, 2024 11:33:46.901447058 CET	443	49833	151.101.129.91	192.168.2.6
Nov 24, 2024 11:33:46.901737928 CET	49833	443	192.168.2.6	151.101.129.91
Nov 24, 2024 11:33:46.901861906 CET	49833	443	192.168.2.6	151.101.129.91
Nov 24, 2024 11:33:46.901871920 CET	443	49833	151.101.129.91	192.168.2.6
Nov 24, 2024 11:33:46.941509962 CET	49834	443	192.168.2.6	35.201.103.21
Nov 24, 2024 11:33:46.941545010 CET	443	49834	35.201.103.21	192.168.2.6
Nov 24, 2024 11:33:46.941764116 CET	49834	443	192.168.2.6	35.201.103.21
Nov 24, 2024 11:33:46.943258047 CET	49834	443	192.168.2.6	35.201.103.21
Nov 24, 2024 11:33:46.943270922 CET	443	49834	35.201.103.21	192.168.2.6
Nov 24, 2024 11:33:47.028042078 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:47.070305109 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:48.019982100 CET	443	49830	34.149.100.209	192.168.2.6
Nov 24, 2024 11:33:48.020076990 CET	49830	443	192.168.2.6	34.149.100.209
Nov 24, 2024 11:33:48.023673058 CET	49830	443	192.168.2.6	34.149.100.209
Nov 24, 2024 11:33:48.023699999 CET	443	49830	34.149.100.209	192.168.2.6
Nov 24, 2024 11:33:48.024008036 CET	443	49830	34.149.100.209	192.168.2.6
Nov 24, 2024 11:33:48.026892900 CET	49830	443	192.168.2.6	34.149.100.209
Nov 24, 2024 11:33:48.026977062 CET	49830	443	192.168.2.6	34.149.100.209
Nov 24, 2024 11:33:48.027112961 CET	443	49830	34.149.100.209	192.168.2.6
Nov 24, 2024 11:33:48.027173996 CET	49830	443	192.168.2.6	34.149.100.209
Nov 24, 2024 11:33:48.031933069 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:48.104291916 CET	443	49831	35.190.72.216	192.168.2.6
Nov 24, 2024 11:33:48.107629061 CET	49831	443	192.168.2.6	35.190.72.216
Nov 24, 2024 11:33:48.112677097 CET	49831	443	192.168.2.6	35.190.72.216
Nov 24, 2024 11:33:48.112688065 CET	443	49831	35.190.72.216	192.168.2.6
Nov 24, 2024 11:33:48.112775087 CET	49831	443	192.168.2.6	35.190.72.216
Nov 24, 2024 11:33:48.112977982 CET	443	49831	35.190.72.216	192.168.2.6
Nov 24, 2024 11:33:48.113065004 CET	49831	443	192.168.2.6	35.190.72.216
Nov 24, 2024 11:33:48.151568890 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:48.157356977 CET	443	49832	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:48.157437086 CET	49832	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:48.160520077 CET	49832	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:48.160550117 CET	443	49832	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:48.160826921 CET	443	49832	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:48.161554098 CET	443	49833	151.101.129.91	192.168.2.6
Nov 24, 2024 11:33:48.161628962 CET	49833	443	192.168.2.6	151.101.129.91
Nov 24, 2024 11:33:48.164227962 CET	49833	443	192.168.2.6	151.101.129.91
Nov 24, 2024 11:33:48.164239883 CET	443	49833	151.101.129.91	192.168.2.6
Nov 24, 2024 11:33:48.164479971 CET	443	49833	151.101.129.91	192.168.2.6
Nov 24, 2024 11:33:48.165970087 CET	49832	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:48.166168928 CET	49832	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:48.166209936 CET	443	49832	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:48.166851997 CET	49832	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:48.168251038 CET	49833	443	192.168.2.6	151.101.129.91
Nov 24, 2024 11:33:48.168338060 CET	49833	443	192.168.2.6	151.101.129.91
Nov 24, 2024 11:33:48.168433905 CET	443	49833	151.101.129.91	192.168.2.6
Nov 24, 2024 11:33:48.169481039 CET	49833	443	192.168.2.6	151.101.129.91
Nov 24, 2024 11:33:48.180023909 CET	49841	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:48.180105925 CET	443	49841	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:48.183053970 CET	49842	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:48.183111906 CET	443	49842	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:48.184564114 CET	49841	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:48.184678078 CET	49842	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:48.185139894 CET	49841	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:48.185157061 CET	443	49841	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:48.185224056 CET	49842	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:48.185235977 CET	443	49842	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:48.186063051 CET	49843	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:48.186085939 CET	443	49843	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:48.186563015 CET	49843	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:48.186682940 CET	49843	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:48.186695099 CET	443	49843	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:48.205250025 CET	443	49834	35.201.103.21	192.168.2.6
Nov 24, 2024 11:33:48.205337048 CET	49834	443	192.168.2.6	35.201.103.21
Nov 24, 2024 11:33:48.209706068 CET	49834	443	192.168.2.6	35.201.103.21
Nov 24, 2024 11:33:48.209729910 CET	443	49834	35.201.103.21	192.168.2.6
Nov 24, 2024 11:33:48.209789038 CET	49834	443	192.168.2.6	35.201.103.21
Nov 24, 2024 11:33:48.209978104 CET	443	49834	35.201.103.21	192.168.2.6
Nov 24, 2024 11:33:48.210489988 CET	49834	443	192.168.2.6	35.201.103.21
Nov 24, 2024 11:33:48.221662998 CET	49844	443	192.168.2.6	34.149.100.209
Nov 24, 2024 11:33:48.221707106 CET	443	49844	34.149.100.209	192.168.2.6
Nov 24, 2024 11:33:48.222028971 CET	49844	443	192.168.2.6	34.149.100.209
Nov 24, 2024 11:33:48.222157955 CET	49844	443	192.168.2.6	34.149.100.209
Nov 24, 2024 11:33:48.222168922 CET	443	49844	34.149.100.209	192.168.2.6
Nov 24, 2024 11:33:48.356210947 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:48.359767914 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:48.396300077 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:48.480164051 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:48.683010101 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:48.728420019 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:49.446504116 CET	443	49841	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:49.446619987 CET	49841	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:49.447289944 CET	443	49842	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:49.447419882 CET	49842	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:49.448488951 CET	443	49843	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:49.448565960 CET	49843	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:49.449779034 CET	49841	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:49.449790001 CET	443	49841	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:49.450057983 CET	443	49841	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:49.452368975 CET	49843	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:49.452382088 CET	443	49843	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:49.452761889 CET	443	49843	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:49.454812050 CET	49842	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:49.454834938 CET	443	49842	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:49.455111027 CET	443	49842	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:49.459088087 CET	49843	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:49.459186077 CET	49843	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:49.459362030 CET	443	49843	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:49.459415913 CET	49841	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:49.459459066 CET	49841	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:49.459616899 CET	443	49841	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:49.459778070 CET	49842	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:49.459834099 CET	49842	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:49.459966898 CET	443	49842	35.244.181.201	192.168.2.6
Nov 24, 2024 11:33:49.460052013 CET	49843	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:49.460052013 CET	49841	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:49.461802006 CET	49842	443	192.168.2.6	35.244.181.201
Nov 24, 2024 11:33:49.465099096 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:49.478219986 CET	443	49844	34.149.100.209	192.168.2.6
Nov 24, 2024 11:33:49.478311062 CET	49844	443	192.168.2.6	34.149.100.209
Nov 24, 2024 11:33:49.481673956 CET	49844	443	192.168.2.6	34.149.100.209
Nov 24, 2024 11:33:49.481693029 CET	443	49844	34.149.100.209	192.168.2.6
Nov 24, 2024 11:33:49.481947899 CET	443	49844	34.149.100.209	192.168.2.6
Nov 24, 2024 11:33:49.484863043 CET	49844	443	192.168.2.6	34.149.100.209
Nov 24, 2024 11:33:49.484957933 CET	49844	443	192.168.2.6	34.149.100.209
Nov 24, 2024 11:33:49.485045910 CET	443	49844	34.149.100.209	192.168.2.6
Nov 24, 2024 11:33:49.486253023 CET	49844	443	192.168.2.6	34.149.100.209
Nov 24, 2024 11:33:49.584616899 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:49.788923025 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:49.792005062 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:49.831643105 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:49.911514044 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:50.117918015 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:33:50.163772106 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:59.792150974 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:33:59.911705017 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:34:00.130899906 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:34:00.252553940 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:34:06.417541981 CET	49886	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:34:06.417588949 CET	443	49886	34.107.243.93	192.168.2.6
Nov 24, 2024 11:34:06.418350935 CET	49886	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:34:06.419909000 CET	49886	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:34:06.419926882 CET	443	49886	34.107.243.93	192.168.2.6
Nov 24, 2024 11:34:07.681010008 CET	443	49886	34.107.243.93	192.168.2.6
Nov 24, 2024 11:34:07.681129932 CET	49886	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:34:07.685451984 CET	49886	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:34:07.685457945 CET	443	49886	34.107.243.93	192.168.2.6
Nov 24, 2024 11:34:07.685605049 CET	49886	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:34:07.685646057 CET	443	49886	34.107.243.93	192.168.2.6
Nov 24, 2024 11:34:07.687863111 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:34:07.689627886 CET	49886	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:34:07.807364941 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:34:08.014736891 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:34:08.018194914 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:34:08.068953037 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:34:08.137890100 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:34:08.342771053 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:34:08.385597944 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:34:17.117160082 CET	49913	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:17.117227077 CET	443	49913	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:17.117322922 CET	49914	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:17.117361069 CET	443	49914	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:17.117445946 CET	49915	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:17.117454052 CET	443	49915	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:17.117575884 CET	49916	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:17.117608070 CET	443	49916	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:17.117697954 CET	49917	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:17.117744923 CET	443	49917	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:17.117825031 CET	49918	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:17.117837906 CET	443	49918	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:17.118269920 CET	49913	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:17.118294001 CET	49914	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:17.118309021 CET	49915	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:17.118314981 CET	49917	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:17.118316889 CET	49916	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:17.118316889 CET	49918	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:17.118438959 CET	49913	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:17.118448019 CET	443	49913	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:17.118570089 CET	49918	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:17.118588924 CET	443	49918	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:17.118643045 CET	49917	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:17.118654966 CET	443	49917	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:17.118706942 CET	49916	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:17.118721008 CET	443	49916	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:17.118772030 CET	49915	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:17.118786097 CET	443	49915	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:17.118839979 CET	49914	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:17.118850946 CET	443	49914	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.029090881 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:34:18.148936987 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:34:18.339998960 CET	443	49915	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.344279051 CET	49915	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.345613003 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:34:18.347907066 CET	49915	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.347930908 CET	443	49915	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.348196983 CET	443	49915	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.355472088 CET	49915	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.355588913 CET	49915	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.355632067 CET	443	49915	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.356075048 CET	49920	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.356120110 CET	443	49920	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.361272097 CET	49915	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.361309052 CET	49920	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.361697912 CET	49920	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.361709118 CET	443	49920	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.380470037 CET	443	49913	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.383476973 CET	49913	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.383888960 CET	443	49914	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.384197950 CET	443	49918	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.384463072 CET	443	49917	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.385169029 CET	443	49916	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.388546944 CET	49913	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.388552904 CET	443	49913	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.388649940 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:34:18.388768911 CET	443	49913	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.391345024 CET	443	49917	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.392333984 CET	49913	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.392441988 CET	443	49913	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.392525911 CET	49913	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.392532110 CET	443	49913	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.392841101 CET	49921	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.392874002 CET	443	49921	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.395322084 CET	443	49914	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.395328045 CET	443	49916	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.395329952 CET	443	49918	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.399117947 CET	49914	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.399137020 CET	49917	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.399283886 CET	49918	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.403321981 CET	443	49913	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.403455019 CET	49914	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.403461933 CET	443	49914	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.403729916 CET	443	49914	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.406848907 CET	49918	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.406864882 CET	443	49918	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.407162905 CET	443	49918	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.409378052 CET	49917	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.409387112 CET	443	49917	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.409729004 CET	443	49917	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.410227060 CET	49913	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.410247087 CET	49917	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.410259008 CET	49913	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.410273075 CET	49913	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.410291910 CET	49916	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.410321951 CET	49921	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.413825035 CET	49914	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.413876057 CET	49913	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.413878918 CET	49916	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.413878918 CET	49916	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.413878918 CET	49918	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.413886070 CET	443	49916	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.414227962 CET	443	49916	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.415282011 CET	49921	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.415293932 CET	443	49921	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.420461893 CET	49914	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.420624971 CET	443	49914	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.421293974 CET	49914	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.421299934 CET	443	49914	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.421441078 CET	49918	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.421602011 CET	443	49918	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.422276974 CET	49918	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.422286034 CET	443	49918	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.422651052 CET	49917	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.422877073 CET	443	49917	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.423165083 CET	49917	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.423172951 CET	443	49917	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.423620939 CET	49916	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.423620939 CET	49918	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.423705101 CET	49916	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.423809052 CET	443	49916	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.423935890 CET	49916	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.465718031 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:34:18.511543989 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:34:18.627334118 CET	443	49914	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.627336025 CET	443	49917	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:18.627393961 CET	49914	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.627423048 CET	49917	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:18.720513105 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:34:18.724077940 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:34:18.762422085 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:34:18.843708038 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:34:19.047533989 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:34:19.101069927 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:34:19.580795050 CET	443	49920	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:19.580935955 CET	49920	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:19.585553885 CET	49920	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:19.585576057 CET	443	49920	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:19.585798025 CET	443	49920	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:19.589236975 CET	49920	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:19.589365005 CET	443	49920	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:19.589420080 CET	49920	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:19.589427948 CET	443	49920	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:19.592956066 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:34:19.712528944 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:34:19.733283997 CET	443	49921	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:19.733304977 CET	443	49921	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:19.733453035 CET	49921	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:19.737962008 CET	49921	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:19.737976074 CET	443	49921	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:19.738205910 CET	443	49921	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:19.741555929 CET	49921	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:19.741682053 CET	443	49921	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:19.741725922 CET	49921	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:19.741730928 CET	443	49921	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:19.745016098 CET	49921	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:19.745033026 CET	49921	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:19.745043993 CET	49921	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:19.799334049 CET	443	49920	34.120.208.123	192.168.2.6
Nov 24, 2024 11:34:19.799455881 CET	49920	443	192.168.2.6	34.120.208.123
Nov 24, 2024 11:34:19.917149067 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:34:19.921830893 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:34:19.966017962 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:34:20.041424036 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:34:20.245843887 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:34:20.289261103 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:34:29.931571960 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:34:30.051249981 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:34:30.248157978 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:34:30.367716074 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:34:40.060606003 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:34:40.181869984 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:34:40.377109051 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:34:40.497709036 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:34:47.858465910 CET	49988	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:34:47.858532906 CET	443	49988	34.107.243.93	192.168.2.6
Nov 24, 2024 11:34:47.858952999 CET	49988	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:34:47.860470057 CET	49988	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:34:47.860491037 CET	443	49988	34.107.243.93	192.168.2.6
Nov 24, 2024 11:34:49.130702972 CET	443	49988	34.107.243.93	192.168.2.6
Nov 24, 2024 11:34:49.130913019 CET	49988	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:34:49.137278080 CET	49988	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:34:49.137310982 CET	443	49988	34.107.243.93	192.168.2.6
Nov 24, 2024 11:34:49.137440920 CET	49988	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:34:49.137545109 CET	443	49988	34.107.243.93	192.168.2.6
Nov 24, 2024 11:34:49.138463020 CET	49988	443	192.168.2.6	34.107.243.93
Nov 24, 2024 11:34:49.140906096 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:34:49.260478973 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:34:49.465351105 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:34:49.471170902 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:34:49.518289089 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:34:49.590878963 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:34:49.795562983 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:34:49.850421906 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:34:59.479245901 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:34:59.598716021 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:34:59.802294970 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:34:59.921895027 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:35:09.610287905 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:35:09.730830908 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:35:09.933314085 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:35:10.053303003 CET	80	49754	34.107.221.82	192.168.2.6
Nov 24, 2024 11:35:19.742760897 CET	49756	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:35:19.862270117 CET	80	49756	34.107.221.82	192.168.2.6
Nov 24, 2024 11:35:20.059250116 CET	49754	80	192.168.2.6	34.107.221.82
Nov 24, 2024 11:35:20.178834915 CET	80	49754	34.107.221.82	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 11:33:18.721626043 CET	57357	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:18.859477997 CET	53	57357	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:18.873469114 CET	61953	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:19.015811920 CET	53	61953	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:19.112673998 CET	55476	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:19.112816095 CET	51891	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:19.260041952 CET	53	51891	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:19.264879942 CET	57932	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:19.266607046 CET	58063	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:19.402175903 CET	53	57932	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:19.403794050 CET	53	58063	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:19.404705048 CET	55160	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:19.404798031 CET	52192	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:19.541872978 CET	53	52192	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:19.541906118 CET	53	55160	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:19.577704906 CET	53425	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:19.715245962 CET	53	53425	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:20.359110117 CET	49784	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:20.364666939 CET	53270	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:20.471415043 CET	49367	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:20.496216059 CET	53	49784	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:20.496844053 CET	58330	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:20.501449108 CET	53	53270	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:20.502536058 CET	56321	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:20.519273043 CET	60514	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:20.572721958 CET	56440	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:20.574117899 CET	56966	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:20.582257986 CET	61421	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:20.614494085 CET	53	49367	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:20.635966063 CET	53	58330	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:20.648416996 CET	53	56321	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:20.658109903 CET	53	60514	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:20.660881042 CET	49623	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:20.662050009 CET	57293	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:20.663081884 CET	56452	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:20.710899115 CET	53	56440	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:20.712373972 CET	53	56966	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:20.800000906 CET	53	57293	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:20.800327063 CET	53	56452	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:20.800805092 CET	59333	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:20.800956964 CET	53	49623	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:20.939065933 CET	53	59333	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:22.660233974 CET	50590	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:23.289496899 CET	63944	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:23.337851048 CET	53	54493	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:23.426752090 CET	53	63944	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:23.429694891 CET	51740	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:23.567012072 CET	53	51740	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:23.572303057 CET	50502	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:23.601269960 CET	58828	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:23.620946884 CET	57312	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:23.709445953 CET	53	50502	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:23.739248991 CET	53	58828	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:23.739969015 CET	51679	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:23.763171911 CET	53	57312	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:23.764727116 CET	63754	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:23.767474890 CET	50636	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:23.878153086 CET	53	51679	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:23.883593082 CET	61176	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:23.902031898 CET	53	63754	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:23.904001951 CET	55665	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:23.904644012 CET	53	50636	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:23.908139944 CET	51102	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:24.021760941 CET	53	61176	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:24.029356956 CET	55096	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:24.042162895 CET	53	55665	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:24.048958063 CET	53	51102	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:30.461009979 CET	56969	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:30.598803043 CET	53	56969	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:30.906348944 CET	61607	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:30.906619072 CET	65494	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:30.906877995 CET	53922	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:31.044624090 CET	53	61607	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:31.044696093 CET	53	65494	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:31.045471907 CET	53	53922	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:32.316847086 CET	61195	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:32.317064047 CET	57074	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:32.317449093 CET	50023	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:32.324862957 CET	54006	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:32.454277992 CET	53	57074	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:32.454303026 CET	53	61195	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:32.454602003 CET	53	50023	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:32.455650091 CET	61189	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:32.455770016 CET	54891	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:32.456186056 CET	57115	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:32.595299006 CET	53	57115	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:32.598278999 CET	53	54891	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:32.598762989 CET	52848	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:32.601919889 CET	56493	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:32.603359938 CET	53	61189	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:32.736876965 CET	53	52848	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:32.740546942 CET	53	56493	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:32.753045082 CET	50291	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:32.753458977 CET	50793	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:32.890851021 CET	53	50793	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:32.898933887 CET	51118	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:33.018162966 CET	53	50291	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:33.018898964 CET	63687	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:33.041232109 CET	53	51118	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:33.138602018 CET	54023	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:33.275206089 CET	53	63687	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:33.275911093 CET	53	54023	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:44.951152086 CET	64506	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:45.090771914 CET	53	64506	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:45.092044115 CET	52905	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:45.229620934 CET	53	52905	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:46.760092020 CET	62628	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:46.803137064 CET	56198	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:46.897377968 CET	65255	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:46.897682905 CET	53	62628	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:46.901582003 CET	57114	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:46.940432072 CET	53	56198	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:46.941705942 CET	62553	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:47.034928083 CET	53	65255	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:47.039822102 CET	53	57114	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:47.040622950 CET	54537	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:47.080197096 CET	53	62553	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:47.080970049 CET	57957	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:33:47.178165913 CET	53	54537	1.1.1.1	192.168.2.6
Nov 24, 2024 11:33:47.218581915 CET	53	57957	1.1.1.1	192.168.2.6
Nov 24, 2024 11:34:06.418291092 CET	49629	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:34:06.555782080 CET	53	49629	1.1.1.1	192.168.2.6
Nov 24, 2024 11:34:17.118175030 CET	56310	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:34:17.257194996 CET	53	56310	1.1.1.1	192.168.2.6
Nov 24, 2024 11:34:47.716875076 CET	61692	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:34:47.856980085 CET	53	61692	1.1.1.1	192.168.2.6
Nov 24, 2024 11:34:47.858967066 CET	64275	53	192.168.2.6	1.1.1.1
Nov 24, 2024 11:34:47.996489048 CET	53	64275	1.1.1.1	192.168.2.6
Nov 24, 2024 11:34:49.141220093 CET	64240	53	192.168.2.6	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 24, 2024 11:33:18.721626043 CET	192.168.2.6	1.1.1.1	0xc998	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:18.873469114 CET	192.168.2.6	1.1.1.1	0x896c	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 11:33:19.112673998 CET	192.168.2.6	1.1.1.1	0x9c2c	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:19.112816095 CET	192.168.2.6	1.1.1.1	0x8cc6	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:19.264879942 CET	192.168.2.6	1.1.1.1	0x5e56	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:19.266607046 CET	192.168.2.6	1.1.1.1	0x1753	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:19.404705048 CET	192.168.2.6	1.1.1.1	0xb22	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 11:33:19.404798031 CET	192.168.2.6	1.1.1.1	0xe96	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 24, 2024 11:33:19.577704906 CET	192.168.2.6	1.1.1.1	0x4a0c	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:20.359110117 CET	192.168.2.6	1.1.1.1	0xc18b	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:20.364666939 CET	192.168.2.6	1.1.1.1	0x5985	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:20.471415043 CET	192.168.2.6	1.1.1.1	0xbe6b	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:20.496844053 CET	192.168.2.6	1.1.1.1	0x1df5	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 11:33:20.502536058 CET	192.168.2.6	1.1.1.1	0xa0ab	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:20.519273043 CET	192.168.2.6	1.1.1.1	0x6052	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:20.572721958 CET	192.168.2.6	1.1.1.1	0xd6e0	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:20.574117899 CET	192.168.2.6	1.1.1.1	0x7350	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:20.582257986 CET	192.168.2.6	1.1.1.1	0xcaa9	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:20.660881042 CET	192.168.2.6	1.1.1.1	0xd5ee	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 11:33:20.662050009 CET	192.168.2.6	1.1.1.1	0x4766	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:20.663081884 CET	192.168.2.6	1.1.1.1	0xbae6	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 11:33:20.800805092 CET	192.168.2.6	1.1.1.1	0xc22a	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 11:33:22.660233974 CET	192.168.2.6	1.1.1.1	0x82d3	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:23.289496899 CET	192.168.2.6	1.1.1.1	0x94df	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:23.429694891 CET	192.168.2.6	1.1.1.1	0x1b68	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:23.572303057 CET	192.168.2.6	1.1.1.1	0xcdef	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 11:33:23.601269960 CET	192.168.2.6	1.1.1.1	0xadd	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:23.620946884 CET	192.168.2.6	1.1.1.1	0xf3a0	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:23.739969015 CET	192.168.2.6	1.1.1.1	0x1d1c	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:23.764727116 CET	192.168.2.6	1.1.1.1	0x7fee	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:23.767474890 CET	192.168.2.6	1.1.1.1	0xed8c	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:23.883593082 CET	192.168.2.6	1.1.1.1	0x1beb	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 11:33:23.904001951 CET	192.168.2.6	1.1.1.1	0x68cc	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 11:33:23.908139944 CET	192.168.2.6	1.1.1.1	0x4b99	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 11:33:24.029356956 CET	192.168.2.6	1.1.1.1	0xdbcb	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:30.461009979 CET	192.168.2.6	1.1.1.1	0x1239	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 11:33:30.906348944 CET	192.168.2.6	1.1.1.1	0xe875	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:30.906619072 CET	192.168.2.6	1.1.1.1	0x1fb	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:30.906877995 CET	192.168.2.6	1.1.1.1	0xe120	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:32.316847086 CET	192.168.2.6	1.1.1.1	0x33f4	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:32.317064047 CET	192.168.2.6	1.1.1.1	0x99ed	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:32.317449093 CET	192.168.2.6	1.1.1.1	0x3498	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:32.324862957 CET	192.168.2.6	1.1.1.1	0x5ba	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:32.455650091 CET	192.168.2.6	1.1.1.1	0xdb1	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 24, 2024 11:33:32.455770016 CET	192.168.2.6	1.1.1.1	0xa530	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 24, 2024 11:33:32.456186056 CET	192.168.2.6	1.1.1.1	0x530e	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 24, 2024 11:33:32.598762989 CET	192.168.2.6	1.1.1.1	0xdd85	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:32.601919889 CET	192.168.2.6	1.1.1.1	0xaabd	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:32.753045082 CET	192.168.2.6	1.1.1.1	0x37e	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:32.753458977 CET	192.168.2.6	1.1.1.1	0x4efb	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:32.898933887 CET	192.168.2.6	1.1.1.1	0xb4a9	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 24, 2024 11:33:33.018898964 CET	192.168.2.6	1.1.1.1	0x45b1	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 24, 2024 11:33:33.138602018 CET	192.168.2.6	1.1.1.1	0xc167	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 11:33:44.951152086 CET	192.168.2.6	1.1.1.1	0xed02	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:45.092044115 CET	192.168.2.6	1.1.1.1	0xc0d7	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 11:33:46.760092020 CET	192.168.2.6	1.1.1.1	0xbd3d	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:46.803137064 CET	192.168.2.6	1.1.1.1	0xe8c7	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:46.897377968 CET	192.168.2.6	1.1.1.1	0x7a2d	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 11:33:46.901582003 CET	192.168.2.6	1.1.1.1	0xca0c	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:46.941705942 CET	192.168.2.6	1.1.1.1	0xc3b	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:47.040622950 CET	192.168.2.6	1.1.1.1	0x3f62	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 24, 2024 11:33:47.080970049 CET	192.168.2.6	1.1.1.1	0x66fe	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 11:34:06.418291092 CET	192.168.2.6	1.1.1.1	0x97c2	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 11:34:17.118175030 CET	192.168.2.6	1.1.1.1	0x4534	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 11:34:47.716875076 CET	192.168.2.6	1.1.1.1	0x9d2a	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:34:47.858967066 CET	192.168.2.6	1.1.1.1	0xde56	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 11:34:49.141220093 CET	192.168.2.6	1.1.1.1	0x8d22	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 24, 2024 11:33:10.451936960 CET	1.1.1.1	192.168.2.6	0x27	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 11:33:10.451936960 CET	1.1.1.1	192.168.2.6	0x27	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:18.718946934 CET	1.1.1.1	192.168.2.6	0x7bf3	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:18.859477997 CET	1.1.1.1	192.168.2.6	0xc998	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:19.260041952 CET	1.1.1.1	192.168.2.6	0x8cc6	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:19.260087967 CET	1.1.1.1	192.168.2.6	0x9c2c	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 11:33:19.260087967 CET	1.1.1.1	192.168.2.6	0x9c2c	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:19.402175903 CET	1.1.1.1	192.168.2.6	0x5e56	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:19.403794050 CET	1.1.1.1	192.168.2.6	0x1753	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:19.541872978 CET	1.1.1.1	192.168.2.6	0xe96	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 24, 2024 11:33:19.541906118 CET	1.1.1.1	192.168.2.6	0xb22	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 24, 2024 11:33:19.715245962 CET	1.1.1.1	192.168.2.6	0x4a0c	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:20.496216059 CET	1.1.1.1	192.168.2.6	0xc18b	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:20.501449108 CET	1.1.1.1	192.168.2.6	0x5985	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 11:33:20.501449108 CET	1.1.1.1	192.168.2.6	0x5985	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:20.514257908 CET	1.1.1.1	192.168.2.6	0x77c3	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 11:33:20.514257908 CET	1.1.1.1	192.168.2.6	0x77c3	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:20.614494085 CET	1.1.1.1	192.168.2.6	0xbe6b	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 11:33:20.614494085 CET	1.1.1.1	192.168.2.6	0xbe6b	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 11:33:20.614494085 CET	1.1.1.1	192.168.2.6	0xbe6b	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:20.648416996 CET	1.1.1.1	192.168.2.6	0xa0ab	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:20.658109903 CET	1.1.1.1	192.168.2.6	0x6052	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:20.710899115 CET	1.1.1.1	192.168.2.6	0xd6e0	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:20.712373972 CET	1.1.1.1	192.168.2.6	0x7350	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:20.712373972 CET	1.1.1.1	192.168.2.6	0x7350	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:20.722908974 CET	1.1.1.1	192.168.2.6	0xcaa9	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 11:33:20.722908974 CET	1.1.1.1	192.168.2.6	0xcaa9	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:20.800000906 CET	1.1.1.1	192.168.2.6	0x4766	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:20.939065933 CET	1.1.1.1	192.168.2.6	0xc22a	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 24, 2024 11:33:22.884260893 CET	1.1.1.1	192.168.2.6	0x82d3	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 11:33:23.426752090 CET	1.1.1.1	192.168.2.6	0x94df	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:23.534449100 CET	1.1.1.1	192.168.2.6	0xe1df	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 11:33:23.534449100 CET	1.1.1.1	192.168.2.6	0xe1df	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:23.567012072 CET	1.1.1.1	192.168.2.6	0x1b68	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:23.739248991 CET	1.1.1.1	192.168.2.6	0xadd	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 11:33:23.739248991 CET	1.1.1.1	192.168.2.6	0xadd	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 11:33:23.739248991 CET	1.1.1.1	192.168.2.6	0xadd	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:23.763171911 CET	1.1.1.1	192.168.2.6	0xf3a0	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 11:33:23.763171911 CET	1.1.1.1	192.168.2.6	0xf3a0	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:23.764252901 CET	1.1.1.1	192.168.2.6	0xabf8	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:23.878153086 CET	1.1.1.1	192.168.2.6	0x1d1c	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:23.902031898 CET	1.1.1.1	192.168.2.6	0x7fee	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:23.904644012 CET	1.1.1.1	192.168.2.6	0xed8c	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:24.568128109 CET	1.1.1.1	192.168.2.6	0xdbcb	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 11:33:24.568128109 CET	1.1.1.1	192.168.2.6	0xdbcb	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:26.638166904 CET	1.1.1.1	192.168.2.6	0xb4b9	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:31.044624090 CET	1.1.1.1	192.168.2.6	0xe875	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 11:33:31.044624090 CET	1.1.1.1	192.168.2.6	0xe875	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:31.044624090 CET	1.1.1.1	192.168.2.6	0xe875	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:31.044624090 CET	1.1.1.1	192.168.2.6	0xe875	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:31.044624090 CET	1.1.1.1	192.168.2.6	0xe875	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:31.044624090 CET	1.1.1.1	192.168.2.6	0xe875	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:31.044624090 CET	1.1.1.1	192.168.2.6	0xe875	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:31.044624090 CET	1.1.1.1	192.168.2.6	0xe875	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:31.044624090 CET	1.1.1.1	192.168.2.6	0xe875	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:31.044624090 CET	1.1.1.1	192.168.2.6	0xe875	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:31.044624090 CET	1.1.1.1	192.168.2.6	0xe875	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:31.044624090 CET	1.1.1.1	192.168.2.6	0xe875	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:31.044696093 CET	1.1.1.1	192.168.2.6	0x1fb	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 11:33:31.044696093 CET	1.1.1.1	192.168.2.6	0x1fb	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:31.045471907 CET	1.1.1.1	192.168.2.6	0xe120	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 11:33:31.045471907 CET	1.1.1.1	192.168.2.6	0xe120	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:32.454277992 CET	1.1.1.1	192.168.2.6	0x99ed	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:32.454303026 CET	1.1.1.1	192.168.2.6	0x33f4	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:32.454303026 CET	1.1.1.1	192.168.2.6	0x33f4	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:32.454303026 CET	1.1.1.1	192.168.2.6	0x33f4	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:32.454303026 CET	1.1.1.1	192.168.2.6	0x33f4	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:32.454303026 CET	1.1.1.1	192.168.2.6	0x33f4	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:32.454303026 CET	1.1.1.1	192.168.2.6	0x33f4	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:32.454303026 CET	1.1.1.1	192.168.2.6	0x33f4	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:32.454303026 CET	1.1.1.1	192.168.2.6	0x33f4	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:32.454602003 CET	1.1.1.1	192.168.2.6	0x3498	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:32.463541031 CET	1.1.1.1	192.168.2.6	0x5ba	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 11:33:32.463541031 CET	1.1.1.1	192.168.2.6	0x5ba	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:32.595299006 CET	1.1.1.1	192.168.2.6	0x530e	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 11:33:32.595299006 CET	1.1.1.1	192.168.2.6	0x530e	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 11:33:32.595299006 CET	1.1.1.1	192.168.2.6	0x530e	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 11:33:32.595299006 CET	1.1.1.1	192.168.2.6	0x530e	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 11:33:32.598278999 CET	1.1.1.1	192.168.2.6	0xa530	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 24, 2024 11:33:32.603359938 CET	1.1.1.1	192.168.2.6	0xdb1	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 24, 2024 11:33:32.736876965 CET	1.1.1.1	192.168.2.6	0xdd85	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 11:33:32.736876965 CET	1.1.1.1	192.168.2.6	0xdd85	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:32.736876965 CET	1.1.1.1	192.168.2.6	0xdd85	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:32.736876965 CET	1.1.1.1	192.168.2.6	0xdd85	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:32.736876965 CET	1.1.1.1	192.168.2.6	0xdd85	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:32.740546942 CET	1.1.1.1	192.168.2.6	0xaabd	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:32.740546942 CET	1.1.1.1	192.168.2.6	0xaabd	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:32.740546942 CET	1.1.1.1	192.168.2.6	0xaabd	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:32.740546942 CET	1.1.1.1	192.168.2.6	0xaabd	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:32.890851021 CET	1.1.1.1	192.168.2.6	0x4efb	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:32.890851021 CET	1.1.1.1	192.168.2.6	0x4efb	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:32.890851021 CET	1.1.1.1	192.168.2.6	0x4efb	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:32.890851021 CET	1.1.1.1	192.168.2.6	0x4efb	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:33.018162966 CET	1.1.1.1	192.168.2.6	0x37e	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:33.018162966 CET	1.1.1.1	192.168.2.6	0x37e	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:33.018162966 CET	1.1.1.1	192.168.2.6	0x37e	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:33.018162966 CET	1.1.1.1	192.168.2.6	0x37e	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:45.090771914 CET	1.1.1.1	192.168.2.6	0xed02	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:46.896039009 CET	1.1.1.1	192.168.2.6	0x2ab4	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 11:33:46.896039009 CET	1.1.1.1	192.168.2.6	0x2ab4	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:46.897682905 CET	1.1.1.1	192.168.2.6	0xbd3d	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:46.897682905 CET	1.1.1.1	192.168.2.6	0xbd3d	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:46.897682905 CET	1.1.1.1	192.168.2.6	0xbd3d	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:46.897682905 CET	1.1.1.1	192.168.2.6	0xbd3d	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:46.940432072 CET	1.1.1.1	192.168.2.6	0xe8c7	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 11:33:46.940432072 CET	1.1.1.1	192.168.2.6	0xe8c7	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:47.039822102 CET	1.1.1.1	192.168.2.6	0xca0c	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:47.039822102 CET	1.1.1.1	192.168.2.6	0xca0c	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:47.039822102 CET	1.1.1.1	192.168.2.6	0xca0c	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:47.039822102 CET	1.1.1.1	192.168.2.6	0xca0c	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:47.080197096 CET	1.1.1.1	192.168.2.6	0xc3b	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:33:47.178165913 CET	1.1.1.1	192.168.2.6	0x3f62	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 11:33:47.178165913 CET	1.1.1.1	192.168.2.6	0x3f62	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 11:33:47.178165913 CET	1.1.1.1	192.168.2.6	0x3f62	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 11:33:47.178165913 CET	1.1.1.1	192.168.2.6	0x3f62	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 11:33:50.331527948 CET	1.1.1.1	192.168.2.6	0xe6ee	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 11:33:50.331527948 CET	1.1.1.1	192.168.2.6	0xe6ee	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 11:34:17.112874031 CET	1.1.1.1	192.168.2.6	0x6aa	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:34:47.856980085 CET	1.1.1.1	192.168.2.6	0x9d2a	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 11:34:49.278211117 CET	1.1.1.1	192.168.2.6	0x8d22	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 11:34:49.278211117 CET	1.1.1.1	192.168.2.6	0x8d22	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49739	34.107.221.82	80	5208	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 11:33:19.385986090 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 11:33:20.523361921 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 60908 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 11:33:21.364073038 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 11:33:21.689513922 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 60909 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49750	34.107.221.82	80	5208	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 11:33:20.846801996 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 11:33:21.988208055 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 19:39:57 GMT Age: 53604 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49754	34.107.221.82	80	5208	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 11:33:22.648533106 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 11:33:23.787379980 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 39256 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 11:33:24.029105902 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 11:33:24.355638981 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 39257 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 11:33:26.432373047 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 11:33:26.755646944 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 39259 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 11:33:32.323143005 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 11:33:32.646939993 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 39265 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 11:33:33.141562939 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 11:33:33.466204882 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 39266 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 11:33:35.758536100 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 11:33:36.082082987 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 39268 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 11:33:36.690210104 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 11:33:37.013834000 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 39269 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 11:33:43.935929060 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 11:33:44.272629023 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 39277 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 11:33:46.702065945 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 11:33:47.028042078 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 39279 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 11:33:48.359767914 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 11:33:48.683010101 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 39281 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 11:33:49.792005062 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 11:33:50.117918015 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 39282 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 11:34:00.130899906 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 11:34:08.018194914 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 11:34:08.342771053 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 39301 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 11:34:18.345613003 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 11:34:18.724077940 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 11:34:19.047533989 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 39311 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 11:34:19.921830893 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 11:34:20.245843887 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 39313 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 11:34:30.248157978 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 11:34:40.377109051 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 11:34:49.471170902 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 11:34:49.795562983 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 39342 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 11:34:59.802294970 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 11:35:09.933314085 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 11:35:20.059250116 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49756	34.107.221.82	80	5208	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 11:33:22.785307884 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 11:33:23.933413029 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 60911 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 11:33:24.031919003 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 11:33:24.359901905 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 60912 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 11:33:26.500797987 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 11:33:26.830261946 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 60914 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 11:33:32.433922052 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 11:33:32.757978916 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 60920 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 11:33:34.114923000 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 11:33:34.446424007 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 60922 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 11:33:35.760113001 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 11:33:36.084472895 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 60923 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 11:33:43.606689930 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 11:33:43.930792093 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 60931 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 11:33:46.371210098 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 11:33:46.695260048 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 60934 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 11:33:48.031933069 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 11:33:48.356210947 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 60936 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 11:33:49.465099096 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 11:33:49.788923025 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 60937 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 11:33:59.792150974 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 11:34:07.687863111 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 11:34:08.014736891 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 60955 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 11:34:18.029090881 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 11:34:18.388649940 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 11:34:18.720513105 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 60966 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 11:34:19.592956066 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 11:34:19.917149067 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 60967 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 11:34:29.931571960 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 11:34:40.060606003 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 11:34:49.140906096 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 11:34:49.465351105 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 60997 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 11:34:59.479245901 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 11:35:09.610287905 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 11:35:19.742760897 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	05:33:11
Start date:	24/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x870000
File size:	923'136 bytes
MD5 hash:	9F60BC3CE0041CA8D6665C3D7BE1C33F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:33:11
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xa80000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:33:11
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:33:13
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xa80000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:33:13
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:33:14
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xa80000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:33:14
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:33:14
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xa80000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:33:14
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:33:14
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xa80000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	05:33:14
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:33:14
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	05:33:14
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	05:33:14
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	05:33:15
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2232 -prefMapHandle 2224 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6807ab7b-751a-454b-9212-796b867fa420} 5208 "\\.\pipe\gecko-crash-server-pipe.5208" 14dd6e6eb10 socket
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	05:33:17
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4104 -parentBuildID 20230927232528 -prefsHandle 2940 -prefMapHandle 4208 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9f1bbef-5c1f-4c5e-a379-f35316c8fad8} 5208 "\\.\pipe\gecko-crash-server-pipe.5208" 14de946a110 rdd
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	05:33:22
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5132 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5128 -prefMapHandle 5124 -prefsLen 33076 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b85e3d19-1243-43ff-b9ce-b6f45ccaee44} 5208 "\\.\pipe\gecko-crash-server-pipe.5208" 14def556b10 utility
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.4%
Total number of Nodes:	1562
Total number of Limit Nodes:	60

Executed Functions

Function 008742DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0087430D

Part of subcall function 00876B57: _wcslen.LIBCMT ref: 00876B6A

GetCurrentProcess.KERNEL32(?,0090CB64,00000000,?,?), ref: 00874422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00874429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00874454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00874466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00874474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0087447B
GetSystemInfo.KERNEL32(?,?,?), ref: 008744A0

Strings

GetNativeSystemInfo, xrefs: 00874460
|O, xrefs: 008B36F8
kernel32.dll, xrefs: 0087444F

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 72f2f9eb2a31be519057d3d2c531bb27d39d3492057121451912f915461db3ab
Instruction ID: 97498a7a1bfdebb1de76cfa6793bcf67de69e872355c36e1547a5b23a787ab85
Opcode Fuzzy Hash: 72f2f9eb2a31be519057d3d2c531bb27d39d3492057121451912f915461db3ab
Instruction Fuzzy Hash: B7A1C46A93E2C4DFC711CF697C409E57FA4BB27744B0495A9E045D3B26E32085C8FB25

Function 008742A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,008750AA,?,?,00000000,00000000), ref: 008742B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008750AA,?,?,00000000,00000000), ref: 008742C9
LoadResource.KERNEL32(?,00000000,?,?,008750AA,?,?,00000000,00000000,?,?,?,?,?,?,00874F20), ref: 008B35BE
SizeofResource.KERNEL32(?,00000000,?,?,008750AA,?,?,00000000,00000000,?,?,?,?,?,?,00874F20), ref: 008B35D3
LockResource.KERNEL32(008750AA,?,?,008750AA,?,?,00000000,00000000,?,?,?,?,?,?,00874F20,?), ref: 008B35E6

Strings

SCRIPT, xrefs: 008742BF

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 7e45ec8ae874fc1247f597907678fff5ac139e7c156fc7ed2705fb1b25990d04
Instruction ID: 4c6918db9129075fe604bb72038c30bf5fe20d5a85500280641d9aee7aaa56e7
Opcode Fuzzy Hash: 7e45ec8ae874fc1247f597907678fff5ac139e7c156fc7ed2705fb1b25990d04
Instruction Fuzzy Hash: 61118EB0214701BFD7218B69DC48F677BBDFBC5B51F208269F416D6690DBB2DC10AA20

Function 008B2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00872B6B

Part of subcall function 00873A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00941418,?,00872E7F,?,?,?,00000000), ref: 00873A78

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00932224), ref: 008B2C10
ShellExecuteW.SHELL32(00000000,?,?,00932224), ref: 008B2C17

Strings

runas, xrefs: 008B2C0B

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 8cb41da7c05ffdb5d2ed7c8bf338177f17621aabf17e0d83397f74c03d17d09c
Instruction ID: 3382ff90fdbb2c301004301ccfeb7e79f3efef9647160b05e63cb29e12365f37
Opcode Fuzzy Hash: 8cb41da7c05ffdb5d2ed7c8bf338177f17621aabf17e0d83397f74c03d17d09c
Instruction Fuzzy Hash: 8C11B431208305AAC714FF68D892DBE7BA4FF95354F44842DF08AD21AADF30C649A713

Function 008DD4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 008DD501
Process32FirstW.KERNEL32(00000000,?), ref: 008DD50F
Process32NextW.KERNEL32(00000000,?), ref: 008DD52F
CloseHandle.KERNELBASE(00000000), ref: 008DD5DC

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 889f5ad1514c4849b9d98fc92c0e48abd06265c697c95cd31641dd54bdb72547
Instruction ID: 2f7ad9b6fa48af6160421bac9fe25ccee29f5139b3abfe41cb516c82c6f5d30a
Opcode Fuzzy Hash: 889f5ad1514c4849b9d98fc92c0e48abd06265c697c95cd31641dd54bdb72547
Instruction Fuzzy Hash: 9F315C711083009FD305EF58D881AAABBF8FF99354F14462DF585C62A1EB71E945CB93

Function 008DDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,008B5222), ref: 008DDBCE
GetFileAttributesW.KERNELBASE(?), ref: 008DDBDD
FindFirstFileW.KERNEL32(?,?), ref: 008DDBEE
FindClose.KERNEL32(00000000), ref: 008DDBFA

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: c8c2212c3d903cdc833b079203d407251b6b44eebe5b264610596fe64c511408
Instruction ID: be3b7a28c5be018f0e3615081329658aa59eca547d98c2c4efb95a34f2c69bfb
Opcode Fuzzy Hash: c8c2212c3d903cdc833b079203d407251b6b44eebe5b264610596fe64c511408
Instruction Fuzzy Hash: D1F0A070838A145BC2206B7CAC0E8BA376CEF01334F204703F836C22E1EBB099549695

Function 00894CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(008A28E9,?,00894CBE,008A28E9,009388B8,0000000C,00894E15,008A28E9,00000002,00000000,?,008A28E9), ref: 00894D09
TerminateProcess.KERNEL32(00000000,?,00894CBE,008A28E9,009388B8,0000000C,00894E15,008A28E9,00000002,00000000,?,008A28E9), ref: 00894D10
ExitProcess.KERNEL32 ref: 00894D22

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: cdd36ccbf9efdf37eeba5081e89ccb8d8b9caa95e9c51e48aa30aed2b40bfdab
Instruction ID: 43c82b5b977ffc4177fa7b89b9b0e5933e548c6cc58ce25d9580d37181768875
Opcode Fuzzy Hash: cdd36ccbf9efdf37eeba5081e89ccb8d8b9caa95e9c51e48aa30aed2b40bfdab
Instruction Fuzzy Hash: C1E0B675124148AFCF15BF54DD09E583B69FB46781B148114FC05CA122CB35DD42EB80

Function 008FAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 008FB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 008FB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 008FB1D4
_wcslen.LIBCMT ref: 008FB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 008FB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 008FB236
_wcslen.LIBCMT ref: 008FB332

Part of subcall function 008E05A7: GetStdHandle.KERNEL32(000000F6), ref: 008E05C6

_wcslen.LIBCMT ref: 008FB34B
_wcslen.LIBCMT ref: 008FB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 008FB3B6
GetLastError.KERNEL32(00000000), ref: 008FB407
CloseHandle.KERNEL32(?), ref: 008FB439
CloseHandle.KERNEL32(00000000), ref: 008FB44A
CloseHandle.KERNEL32(00000000), ref: 008FB45C
CloseHandle.KERNEL32(00000000), ref: 008FB46E
CloseHandle.KERNEL32(?), ref: 008FB4E3

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 0195ca3c8890a5c71640ed6f7d79766caf0ecd2c061c331405e78a5244f78e2a
Instruction ID: bae1c2e16be6cbab7cd7bd9686fbaa66e2f2ff4c4240ce06ef9466d457516556
Opcode Fuzzy Hash: 0195ca3c8890a5c71640ed6f7d79766caf0ecd2c061c331405e78a5244f78e2a
Instruction Fuzzy Hash: 42F18B716082449FCB14EF28C891B2ABBE5FF85714F14855DF999CB2A6DB31EC40CB52

Function 0087D730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0087D807
timeGetTime.WINMM ref: 0087DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0087DB28
TranslateMessage.USER32(?), ref: 0087DB7B
DispatchMessageW.USER32(?), ref: 0087DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0087DB9F
Sleep.KERNELBASE(0000000A), ref: 0087DBB1

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 5061f47f3775100d394ce4331f9ecc48d707fd339a13991cc4981a7746571e5d
Instruction ID: 285f65bffd2eaff46d4e708e3d860d1987e87cc50965626e0908af4d021220b9
Opcode Fuzzy Hash: 5061f47f3775100d394ce4331f9ecc48d707fd339a13991cc4981a7746571e5d
Instruction Fuzzy Hash: D4429A706083459FDB29DB28C884F6ABBF0FF86314F14865DE55AC72A1D770E884DB92

Function 00872CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00872D07
RegisterClassExW.USER32(00000030), ref: 00872D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00872D42
InitCommonControlsEx.COMCTL32(?), ref: 00872D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00872D6F
LoadIconW.USER32(000000A9), ref: 00872D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00872D94

Strings

+, xrefs: 00872CF0
AutoIt v3 GUI, xrefs: 00872D23
TaskbarCreated, xrefs: 00872D37
0, xrefs: 00872CE9

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 9c921c6be5754fd4e98b61acdd268325e818564fd24d9eaebd6dbcdc1a656d46
Instruction ID: da36a18d3fd6056311643659deb8ddc8b8d537502774ab10a4d6d0dcb9b85620
Opcode Fuzzy Hash: 9c921c6be5754fd4e98b61acdd268325e818564fd24d9eaebd6dbcdc1a656d46
Instruction Fuzzy Hash: D921C4B9965318AFDB00DFA4EC49BDDBBB4FB09704F00821AF511A62A0D7B14584EF91

Function 008B065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008B039A: CreateFileW.KERNELBASE(00000000,00000000,?,008B0704,?,?,00000000,?,008B0704,00000000,0000000C), ref: 008B03B7

GetLastError.KERNEL32 ref: 008B076F
__dosmaperr.LIBCMT ref: 008B0776
GetFileType.KERNELBASE(00000000), ref: 008B0782
GetLastError.KERNEL32 ref: 008B078C
__dosmaperr.LIBCMT ref: 008B0795
CloseHandle.KERNEL32(00000000), ref: 008B07B5
CloseHandle.KERNEL32(?), ref: 008B08FF
GetLastError.KERNEL32 ref: 008B0931
__dosmaperr.LIBCMT ref: 008B0938

Strings

H, xrefs: 008B08BD

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: a507db07f80dce0d146946c5e34e92578688064e931d42d665eb3d4f178736f8
Instruction ID: 58b2b9d614679b234afb7182810eecaa5ccd379f03cdb8e5d2b48c7a7189804e
Opcode Fuzzy Hash: a507db07f80dce0d146946c5e34e92578688064e931d42d665eb3d4f178736f8
Instruction Fuzzy Hash: 1AA12632A141088FDF19AF68DC51BEE7BA0FB4A324F140199F815DB392DB319916DF92

Function 0087344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00873A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00941418,?,00872E7F,?,?,?,00000000), ref: 00873A78

Part of subcall function 00873357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00873379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0087356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 008B318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008B31CE
RegCloseKey.ADVAPI32(?), ref: 008B3210
_wcslen.LIBCMT ref: 008B3277
_wcslen.LIBCMT ref: 008B3286

Strings

\, xrefs: 008B328C
\Include\, xrefs: 00873527
Include, xrefs: 008B3184, 008B31C5
Software\AutoIt v3\AutoIt, xrefs: 00873560

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 4be6396e38861cd705c67199b361c2c73d8d8b9bfaed843841bf8cc36a08b51e
Instruction ID: 676e61a8f56d4f09b69bd680f83fa3bbf9fb92476a7ea47037574a0126793a99
Opcode Fuzzy Hash: 4be6396e38861cd705c67199b361c2c73d8d8b9bfaed843841bf8cc36a08b51e
Instruction Fuzzy Hash: EA715A714183009EC714EF69D882D9ABBF8FF96B40B80452EF559C62A5EB309A48DB52

Function 00872B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00872B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00872B9D
LoadIconW.USER32(00000063), ref: 00872BB3
LoadIconW.USER32(000000A4), ref: 00872BC5
LoadIconW.USER32(000000A2), ref: 00872BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00872BEF
RegisterClassExW.USER32(?), ref: 00872C40

Part of subcall function 00872CD4: GetSysColorBrush.USER32(0000000F), ref: 00872D07
Part of subcall function 00872CD4: RegisterClassExW.USER32(00000030), ref: 00872D31
Part of subcall function 00872CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00872D42
Part of subcall function 00872CD4: InitCommonControlsEx.COMCTL32(?), ref: 00872D5F
Part of subcall function 00872CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00872D6F
Part of subcall function 00872CD4: LoadIconW.USER32(000000A9), ref: 00872D85
Part of subcall function 00872CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00872D94

Strings

AutoIt v3, xrefs: 00872C2F
#, xrefs: 00872C16
0, xrefs: 00872C0F

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: ccf129aeda272b0232e2cf735d9137dba7abb6653c2df662141d269ea27e1f74
Instruction ID: 418ca51248d2d65c0816058c7c9785c0c344740950db12fc806f839944f2c2ce
Opcode Fuzzy Hash: ccf129aeda272b0232e2cf735d9137dba7abb6653c2df662141d269ea27e1f74
Instruction Fuzzy Hash: 82216FB8E68314AFDB109FA5EC45F9D7FB4FB49B50F00411AF500A66A0D3B14580EF90

Function 00873170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0087316A,?,?), ref: 008731D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0087316A,?,?), ref: 00873204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00873227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0087316A,?,?), ref: 00873232
CreatePopupMenu.USER32 ref: 00873246
PostQuitMessage.USER32(00000000), ref: 00873267

Strings

TaskbarCreated, xrefs: 0087322D

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 4d88ee54b9345550a00b30f1597e16b748f5c15533012c6f9a647187f928063b
Instruction ID: 53ca8591b5126f70eebca96c7abf04fca6732b90b56e1d006489295645aa3782
Opcode Fuzzy Hash: 4d88ee54b9345550a00b30f1597e16b748f5c15533012c6f9a647187f928063b
Instruction Fuzzy Hash: 79411735278208ABDB255B7C9C09FB93B59F706345F148225F90AC63AAD771CA80B773

Function 00871410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00871459
CoUninitialize.COMBASE ref: 008714F8
UnregisterHotKey.USER32(?), ref: 008716DD
DestroyWindow.USER32(?), ref: 008B24B9
FreeLibrary.KERNEL32(?), ref: 008B251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 008B254B

Strings

close all, xrefs: 00871454

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 11ce529b0eaa4ac2dd60f3a6162614763b531040da2235a27c28b7fe88ac7f6b
Instruction ID: c7670b2cb3ca4ec4b80cf04cc641bfc63ca4d0ae0c908541b678e1cf426d73b3
Opcode Fuzzy Hash: 11ce529b0eaa4ac2dd60f3a6162614763b531040da2235a27c28b7fe88ac7f6b
Instruction Fuzzy Hash: FDD159716012128FCB29EF18C899A69F7A4FF05710F1482ADE54AEB656DB30ED12CF52

Function 00872C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00872C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00872CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00871CAD,?), ref: 00872CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00871CAD,?), ref: 00872CCF

Strings

AutoIt v3, xrefs: 00872C89, 00872C8E, 00872C8F
edit, xrefs: 00872CAC

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: be347a593a27b997748aa1844ddfd38ec4af7510b505a00928bfc4c616361b03
Instruction ID: fc4a20fa60241a8985c4099bed23a1498bde036a11b7f5ccda371eb209a1fe54
Opcode Fuzzy Hash: be347a593a27b997748aa1844ddfd38ec4af7510b505a00928bfc4c616361b03
Instruction Fuzzy Hash: 89F0DAB95642907EEB311B17AC48E772EBDD7C7F50B00005AF900A25A0C6611894EAB0

Function 00873B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00873B0F,SwapMouseButtons,00000004,?), ref: 00873B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00873B0F,SwapMouseButtons,00000004,?), ref: 00873B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00873B0F,SwapMouseButtons,00000004,?), ref: 00873B83

Strings

Control Panel\Mouse, xrefs: 00873B3E

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: a62e28d76f3b2476283d66fc6ee8e24ec354c76a168d72e62c306badce9dc457
Instruction ID: bb7fce2a9c2042614a4e6f2f6dcb3bd70c44559fda2a6e2f47a1af5298589cd7
Opcode Fuzzy Hash: a62e28d76f3b2476283d66fc6ee8e24ec354c76a168d72e62c306badce9dc457
Instruction Fuzzy Hash: A5112AB5520208FFDB208FA5DC84AEEB7BCFF15754B10855AA809D7114D231DE40A7A1

Function 00873923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008B33A2

Part of subcall function 00876B57: _wcslen.LIBCMT ref: 00876B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00873A04

Strings

Line: , xrefs: 008B33EB

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 9bdd440a92edfc9d7a3b1189cfec51d2de2ec7bb13a057ec5aacafb37af001fa
Instruction ID: abd2f7bb80fa3c24f5afe3df8c71b9f7beb292395d4ad112ab72236459c0596f
Opcode Fuzzy Hash: 9bdd440a92edfc9d7a3b1189cfec51d2de2ec7bb13a057ec5aacafb37af001fa
Instruction Fuzzy Hash: 3E31AF71418314AAC725EB24DC45FEBB7E8FB85714F00852AF59DC2195EB70D688D783

Function 0088FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00890668

Part of subcall function 008932A4: RaiseException.KERNEL32(?,?,?,0089068A,?,00941444,?,?,?,?,?,?,0089068A,00871129,00938738,00871129), ref: 00893304

__CxxThrowException@8.LIBVCRUNTIME ref: 00890685

Strings

Unknown exception, xrefs: 00890692

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: f466196a23b96d600564e0b8d49b36e05b0fd03569f1372912ac3e348381712f
Instruction ID: cc9145b61d05460a5b7d7cddc2b670c8bfba2e230d1e8f7c6f4d7bfe1fdd4e42
Opcode Fuzzy Hash: f466196a23b96d600564e0b8d49b36e05b0fd03569f1372912ac3e348381712f
Instruction Fuzzy Hash: 31F0442490030D6B8F10B6A8D846D5E776CFE50354B644531BA24D55D2EF71DB55CE82

Function 008710F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00871BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00871BF4
Part of subcall function 00871BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00871BFC
Part of subcall function 00871BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00871C07
Part of subcall function 00871BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00871C12
Part of subcall function 00871BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00871C1A
Part of subcall function 00871BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00871C22

Part of subcall function 00871B4A: RegisterWindowMessageW.USER32(00000004,?,008712C4), ref: 00871BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0087136A
OleInitialize.OLE32 ref: 00871388
CloseHandle.KERNEL32(00000000,00000000), ref: 008B24AB

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: bbf0a7c1a7bfb63aeada5e875239c5ad3a7a5eab70d28d14499768f5e2fafbfb
Instruction ID: e61e1a7da3dfdeb67dee1cf706f8a6371876a7f019a79475400496b6115d0942
Opcode Fuzzy Hash: bbf0a7c1a7bfb63aeada5e875239c5ad3a7a5eab70d28d14499768f5e2fafbfb
Instruction Fuzzy Hash: F3718AB89793048FC798EF7DE845E953AE4FB8A344714822AE51AC7375EB3084C0AF41

Function 008DC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00873923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00873A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008DC259
KillTimer.USER32(?,00000001,?,?), ref: 008DC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008DC270

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: e0c980a3bfb5c36f89dbae523e8d7fa65e8ccf475dd89685ce5c7d14253e8d33
Instruction ID: a9e79d0ba5d208b6222e70ebb32f17a294fbfd01fc835ded0d219930d8842807
Opcode Fuzzy Hash: e0c980a3bfb5c36f89dbae523e8d7fa65e8ccf475dd89685ce5c7d14253e8d33
Instruction Fuzzy Hash: 7F319570904354AFEB329F648895BE7BBECEB06308F04059EE5DAD7241C7745A84DB51

Function 008A86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,008A85CC,?,00938CC8,0000000C), ref: 008A8704
GetLastError.KERNEL32(?,008A85CC,?,00938CC8,0000000C), ref: 008A870E
__dosmaperr.LIBCMT ref: 008A8739

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: d622ac44b38316a4bbf6f541a2c484677e960424ab86aa36ce9da8577e23090b
Instruction ID: cbe51d1bab27c1148568c7a8e8d805173c90d6916efce1f9733ea36640235170
Opcode Fuzzy Hash: d622ac44b38316a4bbf6f541a2c484677e960424ab86aa36ce9da8577e23090b
Instruction Fuzzy Hash: 40016F32614520A6FA2463386849B7E2745FBD3774F380159FA04CB9D2DEB0CCC191A1

Function 0087DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0087DB7B
DispatchMessageW.USER32(?), ref: 0087DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0087DB9F
Sleep.KERNELBASE(0000000A), ref: 0087DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 008C1CC9

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 89f00632ff6165bc72e79ad55e64cbba39983b396f8fb3b3c30026729fa01134
Instruction ID: 40859b6b46dbb8702080f4511cd829add079b9fa21df7be944df86615e13ab82
Opcode Fuzzy Hash: 89f00632ff6165bc72e79ad55e64cbba39983b396f8fb3b3c30026729fa01134
Instruction Fuzzy Hash: FFF0FE716583449BEB30DB648C89FAA73B8FF45310F508A19F65AD30D0DB70E4889B16

Function 00881310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 008817F6

Strings

CALL, xrefs: 008817C6

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 5f5629a882ca976f956c9a85c58a4527d0e079942ef26b56cd118565871cf14b
Instruction ID: 9fe486d2f8b2dc9630bb6ef13dee8c96f9ae745bbb5f978f60e07d4eaf89c85c
Opcode Fuzzy Hash: 5f5629a882ca976f956c9a85c58a4527d0e079942ef26b56cd118565871cf14b
Instruction Fuzzy Hash: 1C226A706082419FCB14EF28C485A2ABBF5FF85314F24896DF596CB362DB31E856CB52

Function 00872DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 008B2C8C

Part of subcall function 00873AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00873A97,?,?,00872E7F,?,?,?,00000000), ref: 00873AC2

Part of subcall function 00872DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00872DC4

Strings

X, xrefs: 008B2C5A

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: d01b8638c0c844e7570a3cc7845261821207a9d1b63479131a60ca70550456d8
Instruction ID: e8e09fddd00abfd7dcc41c6c1876deedeed3c380e558154a7787e9cdff0a573c
Opcode Fuzzy Hash: d01b8638c0c844e7570a3cc7845261821207a9d1b63479131a60ca70550456d8
Instruction Fuzzy Hash: 99215471A10258AEDB11DF98C845BEE7BF8FF49314F008059E409E7245DBB49A499F62

Function 00873837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00873908

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 10eb52d3fb1ec1df3a4bb47a0f28f141baa4092e30fa8faf48e4fcb4c728b03e
Instruction ID: c8b1baf7f8c3f2394fa8149eb234e4122253b30221a1c61c14d46a01c84e9bb2
Opcode Fuzzy Hash: 10eb52d3fb1ec1df3a4bb47a0f28f141baa4092e30fa8faf48e4fcb4c728b03e
Instruction Fuzzy Hash: D1318EB05083019FD720DF24D884B97BBE8FB49708F00092EF59AC3250E771AA44EB53

Function 0088F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0088F661

Part of subcall function 0087D730: GetInputState.USER32 ref: 0087D807

Sleep.KERNEL32(00000000), ref: 008CF2DE

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 30272237a20c77c086e440c5f5b4f747e7a5cc71a7c1b9131bc6d96870821433
Instruction ID: 69b0814676a0e0f456ecf4913d97f4bec7b5f6282b5c5cb29ab03cff1c237951
Opcode Fuzzy Hash: 30272237a20c77c086e440c5f5b4f747e7a5cc71a7c1b9131bc6d96870821433
Instruction Fuzzy Hash: 22F08C712442059FD354EF69D449B6AB7F9FF46761F004129E85DC72A1DB70A800CB92

Function 00874ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00874E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00874EDD,?,00941418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00874E9C
Part of subcall function 00874E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00874EAE
Part of subcall function 00874E90: FreeLibrary.KERNEL32(00000000,?,?,00874EDD,?,00941418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00874EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00941418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00874EFD

Part of subcall function 00874E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,008B3CDE,?,00941418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00874E62
Part of subcall function 00874E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00874E74
Part of subcall function 00874E59: FreeLibrary.KERNEL32(00000000,?,?,008B3CDE,?,00941418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00874E87

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 0705f0775e945a2c1f38188621530d3c04b499889b4faf4580e81f598ba2b17b
Instruction ID: 0b3622501561458fc619b20a5c8aa2b6b2a72bacc6f4d7b26c9758647b533d9f
Opcode Fuzzy Hash: 0705f0775e945a2c1f38188621530d3c04b499889b4faf4580e81f598ba2b17b
Instruction Fuzzy Hash: B411C132610205AADB14FB68DC12FAD77A5FF40720F10C42DF54AE62C9EFB0DA459752

Function 008A8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 008A8440

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: a7fce726ca6d498f26107d43f441e5cd9c332b1fb3f97aa92375d8a3f518c639
Instruction ID: 1b371504cafcf11d80d1b8a54ed1a0c1c9b2f841c4fde2f7054a8d3283dff0f6
Opcode Fuzzy Hash: a7fce726ca6d498f26107d43f441e5cd9c332b1fb3f97aa92375d8a3f518c639
Instruction Fuzzy Hash: 7911187590420AEFDF05DF58E94199A7BF9FF49314F104059F808EB312DA31DA11CBA9

Function 0089E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 38504235f835eb116408c288d582fd44627be3c06630481d0419dfd6e8cab29b
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 48F0D632510E149AEE327A6D8C05B563B98FFB2334F180715F521D66D2DA709401C5A7

Function 008A3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00941444,?,0088FDF5,?,?,0087A976,00000010,00941440,008713FC,?,008713C6,?,00871129), ref: 008A3852

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6b0bb0be63a0e672f7e1935a6f20f2ec1302331376f972663406faebab5b37f0
Instruction ID: fac248d9e8c510c4528e025b37e5c2a4345c2675e436539844483d7a535785cf
Opcode Fuzzy Hash: 6b0bb0be63a0e672f7e1935a6f20f2ec1302331376f972663406faebab5b37f0
Instruction Fuzzy Hash: 62E0E53110522457FA213B6A9C04F9A3648FF437B4F090130BC14D2D91DB58DE0182E1

Function 00874F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00941418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00874F6D

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 153dcb083f06a1acf5493d3e9acf43a255bc62e01edaf15db92898dd72116a7b
Instruction ID: e01547179f76532d2535efc71b6f0241d145efdc186e4c02b69b123e2a10f9bf
Opcode Fuzzy Hash: 153dcb083f06a1acf5493d3e9acf43a255bc62e01edaf15db92898dd72116a7b
Instruction Fuzzy Hash: 2DF015B1109752CFDB349F64D490822BBE4FF15329324DA6EE1EEC2625CB32D844DB10

Function 00902A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00902A66

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 28013d1973869b40cce85ddd9ecab76a533a88a83334ede7cb0537cb21ffce54
Instruction ID: d6b154c75624200612b71f7a4baf1b986e18b6c71c878115eb598d16a415bccf
Opcode Fuzzy Hash: 28013d1973869b40cce85ddd9ecab76a533a88a83334ede7cb0537cb21ffce54
Instruction Fuzzy Hash: 13E0DF32354216AECB20EB34DC888FA735CEB10390B100636BC1BC2280DF34998582A0

Function 008730F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0087314E

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 28afb7cb864a136db617eb2e4d074c1d90e88dd4c51951d80bddb4334ee5526d
Instruction ID: 04fc74e4aba1e14cf090ee86d772c86b1852bac12a4264deedca878bc63baa00
Opcode Fuzzy Hash: 28afb7cb864a136db617eb2e4d074c1d90e88dd4c51951d80bddb4334ee5526d
Instruction Fuzzy Hash: 50F082709143149FEB629F24DC45B957BACB701708F0000E5A14896291D7704788DB52

Function 00872DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00872DC4

Part of subcall function 00876B57: _wcslen.LIBCMT ref: 00876B6A

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: d43f14b55a52e435aa75e27ead6d094fcc0967043ff82180814a5de72556113d
Instruction ID: fbafb2d613c4712a8262dbec18b205853bccecb6237b541ac6ac6c7dd2cf22d6
Opcode Fuzzy Hash: d43f14b55a52e435aa75e27ead6d094fcc0967043ff82180814a5de72556113d
Instruction Fuzzy Hash: 62E086726041245BCB10925C9C05FEA779DEB88790F044171FD09D7249D960ED808551

Function 00872B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00873837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00873908

Part of subcall function 0087D730: GetInputState.USER32 ref: 0087D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00872B6B

Part of subcall function 008730F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0087314E

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 235a7994031e9803ec9e0590798d7f92ffba711285180797ae4de4e750d846c7
Instruction ID: 4c4a6e7b08c4b55503cc16d8a70419bffaa82da7c6123ce247df7a956177c95d
Opcode Fuzzy Hash: 235a7994031e9803ec9e0590798d7f92ffba711285180797ae4de4e750d846c7
Instruction Fuzzy Hash: 63E0862131424806C618BB7D985297DA759FBD6355F40953EF14EC31B7CF34C5855353

Function 008B039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,008B0704,?,?,00000000,?,008B0704,00000000,0000000C), ref: 008B03B7

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0bf8f405fc93b75bd5eabb35bc61e12c9f6c2e604e3810b649ae6e41e5339ffb
Instruction ID: 949734608a70a35f7fecd6799ea31bfb6dc15c1497af97d32be2e3593c8dc077
Opcode Fuzzy Hash: 0bf8f405fc93b75bd5eabb35bc61e12c9f6c2e604e3810b649ae6e41e5339ffb
Instruction Fuzzy Hash: A4D06C3205410DBFDF028F84DD06EDA3BAAFB48714F014100BE1856020C732E821AB90

Function 00871CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00871CBC

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 910132c5220054918f62466b4bbab4c5b4d9456f418b7dd7ec05a6a0112a9401
Instruction ID: b6393fdfbc0e6da4da7dae8936ea1006afb1ea549b202f3246fb8b3e924397c3
Opcode Fuzzy Hash: 910132c5220054918f62466b4bbab4c5b4d9456f418b7dd7ec05a6a0112a9401
Instruction Fuzzy Hash: 88C0923E2AC304AFF3188B80BC4AF1077A4B349F00F448001F609A96E3D3A22860FA50

Non-executed Functions

Function 00909576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00889BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00889BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0090961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0090965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0090969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009096C9
SendMessageW.USER32 ref: 009096F2
GetKeyState.USER32(00000011), ref: 0090978B
GetKeyState.USER32(00000009), ref: 00909798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009097AE
GetKeyState.USER32(00000010), ref: 009097B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009097E9
SendMessageW.USER32 ref: 00909810
SendMessageW.USER32(?,00001030,?,00907E95), ref: 00909918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0090992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00909941
SetCapture.USER32(?), ref: 0090994A
ClientToScreen.USER32(?,?), ref: 009099AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 009099BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009099D6
ReleaseCapture.USER32 ref: 009099E1
GetCursorPos.USER32(?), ref: 00909A19
ScreenToClient.USER32(?,?), ref: 00909A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00909A80
SendMessageW.USER32 ref: 00909AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00909AEB
SendMessageW.USER32 ref: 00909B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00909B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00909B4A
GetCursorPos.USER32(?), ref: 00909B68
ScreenToClient.USER32(?,?), ref: 00909B75
GetParent.USER32(?), ref: 00909B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00909BFA
SendMessageW.USER32 ref: 00909C2B
ClientToScreen.USER32(?,?), ref: 00909C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00909CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00909CDE
SendMessageW.USER32 ref: 00909D01
ClientToScreen.USER32(?,?), ref: 00909D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00909D82

Part of subcall function 00889944: GetWindowLongW.USER32(?,000000EB), ref: 00889952

GetWindowLongW.USER32(?,000000F0), ref: 00909E05

Strings

F, xrefs: 00909D07
@GUI_DRAGID, xrefs: 0090997D

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 9f9c346a31872961e173b6dbb4b616683534bb6e1431d819d44d52b836a71fb2
Instruction ID: 26fb53795aa540f9e108e8b8dcc8a019a8b0d9f11d62a9900d9ce0774a0fd0b4
Opcode Fuzzy Hash: 9f9c346a31872961e173b6dbb4b616683534bb6e1431d819d44d52b836a71fb2
Instruction Fuzzy Hash: EA429F75608201AFD724CF28CC44EAABBE9FF49714F144A19F699872E2D732E850DF52

Function 00904873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 009048F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00904908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00904927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0090494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0090495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0090497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 009049AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 009049D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00904A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00904A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00904A7E
IsMenu.USER32(?), ref: 00904A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00904AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00904B20
GetWindowLongW.USER32(?,000000F0), ref: 00904B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00904BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00904C82
wsprintfW.USER32 ref: 00904CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00904CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00904CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00904D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00904D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00904D5A

Strings

%d/%02d/%02d, xrefs: 00904CA8

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: c00d29e46d11ef27e6da324fb19e19733677596d197ecc7cf6cc2f3e8997e47a
Instruction ID: 19da6b4ed9ffd5998d2788df01c5bb1d61e6ae82f391fd94bb48e75249b55469
Opcode Fuzzy Hash: c00d29e46d11ef27e6da324fb19e19733677596d197ecc7cf6cc2f3e8997e47a
Instruction Fuzzy Hash: 4A12BEB1600215AFEB259F28CC49FAE7BF8FF85710F104629F615EA2E1DB749941CB50

Function 0088F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0088F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008CF474
IsIconic.USER32(00000000), ref: 008CF47D
ShowWindow.USER32(00000000,00000009), ref: 008CF48A
SetForegroundWindow.USER32(00000000), ref: 008CF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008CF4AA
GetCurrentThreadId.KERNEL32 ref: 008CF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008CF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 008CF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 008CF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 008CF4DE
SetForegroundWindow.USER32(00000000), ref: 008CF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 008CF4F6
keybd_event.USER32(00000012,00000000), ref: 008CF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 008CF50B
keybd_event.USER32(00000012,00000000), ref: 008CF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 008CF519
keybd_event.USER32(00000012,00000000), ref: 008CF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 008CF528
keybd_event.USER32(00000012,00000000), ref: 008CF52D
SetForegroundWindow.USER32(00000000), ref: 008CF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 008CF557

Strings

Shell_TrayWnd, xrefs: 008CF46F

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 7901e1f3a78bcc3dbd2f68a4e95511102e6d39d31bd66e9d1615a9f027a2f456
Instruction ID: 1d1d82d476e29ac22d4a1ad11cf4fec2e1a024591b10aeec899b146211e46fec
Opcode Fuzzy Hash: 7901e1f3a78bcc3dbd2f68a4e95511102e6d39d31bd66e9d1615a9f027a2f456
Instruction Fuzzy Hash: 36313EB1A54218BEFB216BB55C4AFBF7E7DFB44B50F100169FB01E61D1C6B19900BAA0

Function 008D1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 008D16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008D170D
Part of subcall function 008D16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008D173A
Part of subcall function 008D16C3: GetLastError.KERNEL32 ref: 008D174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 008D1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 008D12A8
CloseHandle.KERNEL32(?), ref: 008D12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008D12D1
GetProcessWindowStation.USER32 ref: 008D12EA
SetProcessWindowStation.USER32(00000000), ref: 008D12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 008D1310

Part of subcall function 008D10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008D11FC), ref: 008D10D4
Part of subcall function 008D10BF: CloseHandle.KERNEL32(?,?,008D11FC), ref: 008D10E9

Strings

winsta0, xrefs: 008D12CC
, xrefs: 008D125A
default, xrefs: 008D130B

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: b59380a47330e33fad8a53279159c7a4103f303ba9b09ef2f7e305d8c2a1a27a
Instruction ID: c7631530581062322a4507d703f58e14c8c80f2c2210fe6139c024c4f563f4db
Opcode Fuzzy Hash: b59380a47330e33fad8a53279159c7a4103f303ba9b09ef2f7e305d8c2a1a27a
Instruction Fuzzy Hash: D4817AB1900209BFDF219FA8DC49BEE7BBAFF04704F14422AF910E62A0C7718945DB65

Function 008D0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008D10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008D1114
Part of subcall function 008D10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,008D0B9B,?,?,?), ref: 008D1120
Part of subcall function 008D10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,008D0B9B,?,?,?), ref: 008D112F
Part of subcall function 008D10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,008D0B9B,?,?,?), ref: 008D1136
Part of subcall function 008D10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008D114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 008D0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 008D0C00
GetLengthSid.ADVAPI32(?), ref: 008D0C17
GetAce.ADVAPI32(?,00000000,?), ref: 008D0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008D0C6D
GetLengthSid.ADVAPI32(?), ref: 008D0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 008D0C8C
HeapAlloc.KERNEL32(00000000), ref: 008D0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 008D0CB4
CopySid.ADVAPI32(00000000), ref: 008D0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 008D0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008D0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 008D0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008D0D45
HeapFree.KERNEL32(00000000), ref: 008D0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008D0D55
HeapFree.KERNEL32(00000000), ref: 008D0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008D0D65
HeapFree.KERNEL32(00000000), ref: 008D0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 008D0D78
HeapFree.KERNEL32(00000000), ref: 008D0D7F

Part of subcall function 008D1193: GetProcessHeap.KERNEL32(00000008,008D0BB1,?,00000000,?,008D0BB1,?), ref: 008D11A1
Part of subcall function 008D1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,008D0BB1,?), ref: 008D11A8
Part of subcall function 008D1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,008D0BB1,?), ref: 008D11B7

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: a17baaed0a8d918815f456bb9eb77b7bfdae6c02494ec45e3bcc5181cad4f6f6
Instruction ID: ed9fb5ecacbd23f9c89bfe53812e0078abb300a772df55452689cce4475cfabf
Opcode Fuzzy Hash: a17baaed0a8d918815f456bb9eb77b7bfdae6c02494ec45e3bcc5181cad4f6f6
Instruction Fuzzy Hash: 6A7168B290420AAFEF109FA4DC48BAEBBB9FF05310F044716E914E7291D771AA45DF60

Function 008EEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0090CC08), ref: 008EEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 008EEB37
GetClipboardData.USER32(0000000D), ref: 008EEB43
CloseClipboard.USER32 ref: 008EEB4F
GlobalLock.KERNEL32(00000000), ref: 008EEB87
CloseClipboard.USER32 ref: 008EEB91
GlobalUnlock.KERNEL32(00000000), ref: 008EEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 008EEBC9
GetClipboardData.USER32(00000001), ref: 008EEBD1
GlobalLock.KERNEL32(00000000), ref: 008EEBE2
GlobalUnlock.KERNEL32(00000000), ref: 008EEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 008EEC38
GetClipboardData.USER32(0000000F), ref: 008EEC44
GlobalLock.KERNEL32(00000000), ref: 008EEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 008EEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 008EEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 008EECD2
GlobalUnlock.KERNEL32(00000000), ref: 008EECF3
CountClipboardFormats.USER32 ref: 008EED14
CloseClipboard.USER32 ref: 008EED59

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 9668af553c1245df6c0ec78cde3267c5773933a6483019f2fa819832806849b9
Instruction ID: dce28d8aab6b19c5951e9653799392967a99d8d715b027aaa02c493c39ca7a48
Opcode Fuzzy Hash: 9668af553c1245df6c0ec78cde3267c5773933a6483019f2fa819832806849b9
Instruction Fuzzy Hash: C261FE74208242AFD310EF29D884F2AB7A4FF85714F148619F45AD72A2DB31DD09DB62

Function 008E698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008E69BE
FindClose.KERNEL32(00000000), ref: 008E6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008E6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008E6A75

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 008E6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 008E6ADF

Strings

%4d, xrefs: 008E6BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 008E6B32
%02d, xrefs: 008E6C00, 008E6C0A, 008E6C5A, 008E6CAA, 008E6CFA, 008E6D4A
%4d%02d%02d%02d%02d%02d, xrefs: 008E6B6A
%03d, xrefs: 008E6DA2

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 14e9619ad284e2b16dcf08f1c1027a543b7a5131e3e454f675122f8767736aff
Instruction ID: 7b78551fa48414624654c0d36d787269cc77baf9d14df2c34e5ea7944d95fd1e
Opcode Fuzzy Hash: 14e9619ad284e2b16dcf08f1c1027a543b7a5131e3e454f675122f8767736aff
Instruction Fuzzy Hash: 13D12D72508340AEC714EBA8C882EABB7E8FF99704F44491DF589D7191EB74DA44CB63

Function 008E9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 008E9663
GetFileAttributesW.KERNEL32(?), ref: 008E96A1
SetFileAttributesW.KERNEL32(?,?), ref: 008E96BB
FindNextFileW.KERNEL32(00000000,?), ref: 008E96D3
FindClose.KERNEL32(00000000), ref: 008E96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 008E96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 008E974A
SetCurrentDirectoryW.KERNEL32(00936B7C), ref: 008E9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 008E9772
FindClose.KERNEL32(00000000), ref: 008E977F
FindClose.KERNEL32(00000000), ref: 008E978F

Strings

*.*, xrefs: 008E96F5

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: c1e89b2de4b9bd86a1808db916134b78e233da7e3529893f9ae52d3cff29cefd
Instruction ID: 0e5db32493a9a56cdfcee240fe3dfc5c94d2c0476e66a959a729eb2e6282d82c
Opcode Fuzzy Hash: c1e89b2de4b9bd86a1808db916134b78e233da7e3529893f9ae52d3cff29cefd
Instruction Fuzzy Hash: B331F3725142597EDF20AFB9DC08ADE77ACFF4A320F144166F895E21A1DB70DD448E10

Function 008E979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 008E97BE
FindNextFileW.KERNEL32(00000000,?), ref: 008E9819
FindClose.KERNEL32(00000000), ref: 008E9824
FindFirstFileW.KERNEL32(*.*,?), ref: 008E9840
SetCurrentDirectoryW.KERNEL32(?), ref: 008E9890
SetCurrentDirectoryW.KERNEL32(00936B7C), ref: 008E98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 008E98B8
FindClose.KERNEL32(00000000), ref: 008E98C5
FindClose.KERNEL32(00000000), ref: 008E98D5

Part of subcall function 008DDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 008DDB00

Strings

*.*, xrefs: 008E983B

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 428a3c368ba6bcfca20367f757f893d656e06c495cb699a7ee9d38de91531e82
Instruction ID: ab4887762aa1e7f1cf113046c5e61b8dacc2999ad82bee41cc15bba49298c912
Opcode Fuzzy Hash: 428a3c368ba6bcfca20367f757f893d656e06c495cb699a7ee9d38de91531e82
Instruction Fuzzy Hash: 8731A0715042697EDF20AFA9DC48ADE77ACEF47324F148165E890E21E1DBB0D9458E20

Function 008FBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008FB6AE,?,?), ref: 008FC9B5
Part of subcall function 008FC998: _wcslen.LIBCMT ref: 008FC9F1
Part of subcall function 008FC998: _wcslen.LIBCMT ref: 008FCA68
Part of subcall function 008FC998: _wcslen.LIBCMT ref: 008FCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008FBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 008FBFA9
RegCloseKey.ADVAPI32(00000000), ref: 008FBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 008FC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 008FC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 008FC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 008FC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 008FC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 008FC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 008FC382
RegCloseKey.ADVAPI32(00000000), ref: 008FC38F

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: cda2587b876de2ebb022637268def102caf738bff224fbc3f64a21862155be48
Instruction ID: 90a715da4be17de99c55714e0fe91e4d6dac1843ee331bb63c7c42364a313324
Opcode Fuzzy Hash: cda2587b876de2ebb022637268def102caf738bff224fbc3f64a21862155be48
Instruction Fuzzy Hash: 700239716042049FD714DF28C991E2ABBE5FF89318F18C49DE94ACB2A2DB31ED45CB52

Function 008E8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 008E8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 008E8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 008E8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008E8310
SetCurrentDirectoryW.KERNEL32(?), ref: 008E8324
SetCurrentDirectoryW.KERNEL32(?), ref: 008E8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008E838C
SetCurrentDirectoryW.KERNEL32(?), ref: 008E8395

Strings

*.*, xrefs: 008E839B

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 21accf1a6909509c045d349246d1d39f9602c15fc2cfbae5efe4568c902777b9
Instruction ID: f71721f09f84f43b62314f139fc0e248a9eb858c62cae670c81f752ce4dd5b9b
Opcode Fuzzy Hash: 21accf1a6909509c045d349246d1d39f9602c15fc2cfbae5efe4568c902777b9
Instruction Fuzzy Hash: 816169B25083459FCB10EF69C8419AEB3E8FF8A314F04891EF999D7251DB31E945CB92

Function 008DD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00873AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00873A97,?,?,00872E7F,?,?,?,00000000), ref: 00873AC2

Part of subcall function 008DE199: GetFileAttributesW.KERNEL32(?,008DCF95), ref: 008DE19A

FindFirstFileW.KERNEL32(?,?), ref: 008DD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 008DD1DD
MoveFileW.KERNEL32(?,?), ref: 008DD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 008DD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 008DD237

Part of subcall function 008DD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,008DD21C,?,?), ref: 008DD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 008DD253
FindClose.KERNEL32(00000000), ref: 008DD264

Strings

\*.*, xrefs: 008DD0CD, 008DD0D6, 008DD0EB

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 43c1729685af587e903f58d2d3069687492adae5aca9e12f027712b51e4613f5
Instruction ID: 241c66699e1140b5214723882d1e608eabd5458b5787f420b56fd75d93185c4f
Opcode Fuzzy Hash: 43c1729685af587e903f58d2d3069687492adae5aca9e12f027712b51e4613f5
Instruction Fuzzy Hash: DA616E3180520D9ECF05EBE8D9929EDB779FF55300F208266E415B7295EB30AF09DB62

Function 008EED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 008EED91
EmptyClipboard.USER32 ref: 008EED97
GlobalAlloc.KERNEL32(00000002,?), ref: 008EEDAC
CloseClipboard.USER32 ref: 008EEEA3

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: b8a7a28a044b7f9b3df94bb4d489382cab4b8164208ce4bee5a173e3d26e70e5
Instruction ID: 2ccd1d394ab9b03788b42fad841822b00e8b151aaaf3c6fe4338c4a1248435fc
Opcode Fuzzy Hash: b8a7a28a044b7f9b3df94bb4d489382cab4b8164208ce4bee5a173e3d26e70e5
Instruction Fuzzy Hash: BB41AD75608652AFE720DF1AD888F19BBE1FF45318F14C199E419CB6A2C776EC41CB90

Function 008DE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 008D16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008D170D
Part of subcall function 008D16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008D173A
Part of subcall function 008D16C3: GetLastError.KERNEL32 ref: 008D174A

ExitWindowsEx.USER32(?,00000000), ref: 008DE932

Strings

, xrefs: 008DE95C
SeShutdownPrivilege, xrefs: 008DE902
@, xrefs: 008DE925
, xrefs: 008DE920

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: c325418bb1563270a7e1a49553b25ce4ad8d7496e54317fdf677ee9e7d6ac294
Instruction ID: 6f076e28a4d369959ec927100247deb8c2914b01fecc488a7db09807e2cf7eb6
Opcode Fuzzy Hash: c325418bb1563270a7e1a49553b25ce4ad8d7496e54317fdf677ee9e7d6ac294
Instruction Fuzzy Hash: D60126B2621215BFEB1437B89C9ABBF776CFB14744F140B23F802E63D1D5A05C408190

Function 008F1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 008F1276
WSAGetLastError.WSOCK32 ref: 008F1283
bind.WSOCK32(00000000,?,00000010), ref: 008F12BA
WSAGetLastError.WSOCK32 ref: 008F12C5
closesocket.WSOCK32(00000000), ref: 008F12F4
listen.WSOCK32(00000000,00000005), ref: 008F1303
WSAGetLastError.WSOCK32 ref: 008F130D
closesocket.WSOCK32(00000000), ref: 008F133C

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: e5ed1e29b638d0647c0327fa8663fec8972c1c9a96a561aad4753ae3507c045a
Instruction ID: 45f53755890eb6018352c8bc66b8ed5e2539c91d4335f45c4bbd0ea7989348cf
Opcode Fuzzy Hash: e5ed1e29b638d0647c0327fa8663fec8972c1c9a96a561aad4753ae3507c045a
Instruction Fuzzy Hash: BC414D71600154DFDB10DF68C488B29BBE6FF46318F188198E956DF296C771ED81CBA1

Function 008AB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008AB9D4
_free.LIBCMT ref: 008AB9F8
_free.LIBCMT ref: 008ABB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00913700), ref: 008ABB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0094121C,000000FF,00000000,0000003F,00000000,?,?), ref: 008ABC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00941270,000000FF,?,0000003F,00000000,?), ref: 008ABC36
_free.LIBCMT ref: 008ABD4B

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: c475aa981a30b4068de7e4a3b5ecf90bc282bddb48cffb3e0322edb61a0a7cf4
Instruction ID: d3d67381cc7ccc98c2ada192d643e524350c006ba2f83e5e6d28a75d57472daf
Opcode Fuzzy Hash: c475aa981a30b4068de7e4a3b5ecf90bc282bddb48cffb3e0322edb61a0a7cf4
Instruction Fuzzy Hash: 8FC13771904258AFEB209F689C41BAA7BF8FF43320F1841AAE590D7A53E7309E41D751

Function 008DD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00873AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00873A97,?,?,00872E7F,?,?,?,00000000), ref: 00873AC2

Part of subcall function 008DE199: GetFileAttributesW.KERNEL32(?,008DCF95), ref: 008DE19A

FindFirstFileW.KERNEL32(?,?), ref: 008DD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 008DD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 008DD481
FindClose.KERNEL32(00000000), ref: 008DD498
FindClose.KERNEL32(00000000), ref: 008DD4A1

Strings

\*.*, xrefs: 008DD3F2

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 352dee24ad713e16ef5d5977cfee06deae9e9a8288f847c9973564bb2f829314
Instruction ID: 1fd063a3fb5e310d9d4ea32d445a17ca4ea95dcc2d4eda8b8f5c083f2cf7c63c
Opcode Fuzzy Hash: 352dee24ad713e16ef5d5977cfee06deae9e9a8288f847c9973564bb2f829314
Instruction Fuzzy Hash: 453141710183459FC304EF68D8919AF77A8FE95314F448A1EF4E5D2291EB30EA09D767

Function 008AE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 008AE645

Strings

1#INF, xrefs: 008AF852
1#IND, xrefs: 008AF83D
1#QNAN, xrefs: 008AF84B
1#SNAN, xrefs: 008AF844

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: fc09c8566d1baea575e6d83ad7aec9e15ccd5f7891735fbee9a66d06a9401964
Instruction ID: dce6ff473c0f91a3c2999a5f2ddf8e548bd4a3bfe7108983b37f5fab58f2f742
Opcode Fuzzy Hash: fc09c8566d1baea575e6d83ad7aec9e15ccd5f7891735fbee9a66d06a9401964
Instruction Fuzzy Hash: B5C25971E086288FEB25CE68DD407EAB7B5FB4A304F1445EAD50DE7641E778AE818F40

Function 008E648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008E64DC
CoInitialize.OLE32(00000000), ref: 008E6639
CoCreateInstance.OLE32(0090FCF8,00000000,00000001,0090FB68,?), ref: 008E6650
CoUninitialize.OLE32 ref: 008E68D4

Strings

.lnk, xrefs: 008E64BA, 008E6524, 008E65E0

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 02fa33872e0e6d374c433363e90f7ea5dbf04c1d29a14aeba3d9f9dc819f9369
Instruction ID: d294a09d2b6d0b7cd711adedbb70c20d2ba95221d5f014f48cd5414f7060e843
Opcode Fuzzy Hash: 02fa33872e0e6d374c433363e90f7ea5dbf04c1d29a14aeba3d9f9dc819f9369
Instruction Fuzzy Hash: CCD13971608241AFC314EF28C881D6BB7E8FF95744F10896DF599CB2A5EB70E905CB92

Function 008F22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 008F22E8

Part of subcall function 008EE4EC: GetWindowRect.USER32(?,?), ref: 008EE504

GetDesktopWindow.USER32 ref: 008F2312
GetWindowRect.USER32(00000000), ref: 008F2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 008F2355
GetCursorPos.USER32(?), ref: 008F2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008F23DF

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 76cf34468c87c52e86914c908263a3cbc52177fefaefcd83e7fe653bc48372d8
Instruction ID: 8d6873eb9f0265b7d6f968025b1c5aa8d0fd5ba72436382ec757c9690e64dd7f
Opcode Fuzzy Hash: 76cf34468c87c52e86914c908263a3cbc52177fefaefcd83e7fe653bc48372d8
Instruction Fuzzy Hash: BC31B0B2509319AFD720DF64C849F6BBBA9FF84314F000A19F985D7291DB74E909CB92

Function 008E9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 008E9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 008E9C8B

Part of subcall function 008E3874: GetInputState.USER32 ref: 008E38CB
Part of subcall function 008E3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008E3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 008E9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 008E9C75

Strings

*.*, xrefs: 008E9B5D

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 21a3e520be571f6d9b0b6525d4451afc3226d5895432a37364fa232fc1eb5ab1
Instruction ID: 2c602eb2dbf7d44bfa45084ad0f1bac22d57de739eae964c6621f20cd32ffe70
Opcode Fuzzy Hash: 21a3e520be571f6d9b0b6525d4451afc3226d5895432a37364fa232fc1eb5ab1
Instruction Fuzzy Hash: 55418371904249AFCF14EF69C885AEEBBB4FF46310F248155E455E2191EB70DE84CF61

Function 0088997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00889BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00889BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00889A4E
GetSysColor.USER32(0000000F), ref: 00889B23
SetBkColor.GDI32(?,00000000), ref: 00889B36

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 597d25afafa4c359cce51860948bdd6696e497da8a349d7cef792962419663ed
Instruction ID: 62563c771deb52f2d82fcc43ba63a6efff6b930c9a6ca2cdc2d263924c2c94f9
Opcode Fuzzy Hash: 597d25afafa4c359cce51860948bdd6696e497da8a349d7cef792962419663ed
Instruction Fuzzy Hash: CDA11B70218428BEE72CBA2C9C49F7B36ADFB82354B18410DF582D6AD2CA35DD41D772

Function 008F1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008F304E: inet_addr.WSOCK32(?), ref: 008F307A
Part of subcall function 008F304E: _wcslen.LIBCMT ref: 008F309B

socket.WSOCK32(00000002,00000002,00000011), ref: 008F185D
WSAGetLastError.WSOCK32 ref: 008F1884
bind.WSOCK32(00000000,?,00000010), ref: 008F18DB
WSAGetLastError.WSOCK32 ref: 008F18E6
closesocket.WSOCK32(00000000), ref: 008F1915

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 9699028dba8f3e5369f02cda1ca85fbc045547ddc69e63ce6bc93d209f10ad2e
Instruction ID: c0a7c2f08af0e639619a7ed9af94253233efab150cfcc8481241fbf295b6c163
Opcode Fuzzy Hash: 9699028dba8f3e5369f02cda1ca85fbc045547ddc69e63ce6bc93d209f10ad2e
Instruction Fuzzy Hash: 7951A371A002049FDB10AF28C886F3A77A5FB45718F14C058F9099F397DB71ED418BA2

Function 00901C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00901CC0
IsWindowEnabled.USER32 ref: 00901CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00901CDB
IsIconic.USER32 ref: 00901CE9
IsZoomed.USER32 ref: 00901CF7

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: a1af63b4ddd1dc4eb53fe5802c86acfdfb5c27b890794fac2ac21d1b18fd99da
Instruction ID: 0c8d909a05cc784c0fb9512e6c839506e5b0032f636088904567cb227032b55e
Opcode Fuzzy Hash: a1af63b4ddd1dc4eb53fe5802c86acfdfb5c27b890794fac2ac21d1b18fd99da
Instruction Fuzzy Hash: 6D2174717442115FE7208F2AC884B5A7BE9FF95315F198059E88ACB3D1CB75EC42DB90

Function 00878060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 008B5DF0
VUUU, xrefs: 008783FA
ERCP, xrefs: 0087813C
VUUU, xrefs: 008783E8
VUUU, xrefs: 0087843C

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 4acfdb28180906a825ead8aa434bf8643048d8576ef558719f3973d2b76c1543
Instruction ID: 25373d4dfa6fedc39a9d93a1d27cd8250f0573510e06d070b5af64565693f878
Opcode Fuzzy Hash: 4acfdb28180906a825ead8aa434bf8643048d8576ef558719f3973d2b76c1543
Instruction Fuzzy Hash: CEA24871A4061ACBDF24CF58C8447EEB7B1FB54314F2481AAE819E7389EB74DD918B90

Function 008DAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 008DAAAC
SetKeyboardState.USER32(00000080), ref: 008DAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 008DAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 008DAB88

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 726455193f199a47c210d5c3dfca57d19728961731e73c86947db5f9ef3cf4fc
Instruction ID: 4703af49c4bbb4a426e1b15323b6dfde88a26a654547e871010164657e8b8a75
Opcode Fuzzy Hash: 726455193f199a47c210d5c3dfca57d19728961731e73c86947db5f9ef3cf4fc
Instruction Fuzzy Hash: 4E31E770A40258AEEB398B688C05BFE7BA6FB45330F24431BF581D63D1D7758982D762

Function 008ECE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 008ECE89
GetLastError.KERNEL32(?,00000000), ref: 008ECEEA
SetEvent.KERNEL32(?,?,00000000), ref: 008ECEFE

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 8f294e1ace75a6c58ec1da3b95103b0c9b52dcf5d9b65fc13d1a399af8765cac
Instruction ID: 41f0a5accb6e02a6aa58a9b34500942c8f551d2d98f7cf13c90711ced5247e62
Opcode Fuzzy Hash: 8f294e1ace75a6c58ec1da3b95103b0c9b52dcf5d9b65fc13d1a399af8765cac
Instruction Fuzzy Hash: E221BDB1904306AFDB20DFA6C949BAA7BF8FB42318F10441EE546D2151EB70EE069B60

Function 008D8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 008D82AA

Strings

|, xrefs: 008D82DA
(, xrefs: 008D82F0

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: bd982da6baec77311e5979f3268971af73ea9dab0c7a40bea288ba6721b6b682
Instruction ID: 27926c36e77c57f9ab36c61b042b62fe2a6a3b06a0e612a004275058ddb5f7d6
Opcode Fuzzy Hash: bd982da6baec77311e5979f3268971af73ea9dab0c7a40bea288ba6721b6b682
Instruction Fuzzy Hash: E1322474A00605DFCB28CF59C481A6AB7F1FF48720B15C56EE59ADB3A1EB70E941CB44

Function 008E5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008E5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 008E5D17
FindClose.KERNEL32(?), ref: 008E5D5F

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 3b8ed9b111c84049bfa6ac28e548e4181268934b27faf993515c5e54f549b4a1
Instruction ID: 423cc0d6b33540b18d2c5d5c3294fe3ee1f944036c8cc68777beed64e1e89b56
Opcode Fuzzy Hash: 3b8ed9b111c84049bfa6ac28e548e4181268934b27faf993515c5e54f549b4a1
Instruction Fuzzy Hash: 93518A74604A419FC714DF29C894A9AB7E4FF4A318F14856DE96ACB3A2CB30ED44CB91

Function 008A2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 008A271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 008A2724
UnhandledExceptionFilter.KERNEL32(?), ref: 008A2731

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1fe84d59c2b9ed5711f9c8d78ea4a827eb4e5cf69bb4bf9df8449d255bc1afa4
Instruction ID: 61e6747cfb520bea1ca510459b9559d0b1b675f2335828cf67c1ab596bb377ce
Opcode Fuzzy Hash: 1fe84d59c2b9ed5711f9c8d78ea4a827eb4e5cf69bb4bf9df8449d255bc1afa4
Instruction Fuzzy Hash: 7731B474911228ABCB21DF68DD89799B7B8FF08310F5042EAE81CA6261E7349F819F45

Function 008E51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008E51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 008E5238
SetErrorMode.KERNEL32(00000000), ref: 008E52A1

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 408b82f232e074a82d9e3e8a768ae7421a7d25fb5ee8c01bcd9ba04fcf9bf3c8
Instruction ID: 0937dd0b24a178628bc5c2d167c065ac619c348690a7f07d4e1a8c57032cccdb
Opcode Fuzzy Hash: 408b82f232e074a82d9e3e8a768ae7421a7d25fb5ee8c01bcd9ba04fcf9bf3c8
Instruction Fuzzy Hash: 76318F75A10608DFDB00DF54D884EADBBB5FF09318F048099E909EB3A6CB71E845CB91

Function 008D16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0088FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00890668
Part of subcall function 0088FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00890685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008D170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008D173A
GetLastError.KERNEL32 ref: 008D174A

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 11a882cf106cb79e4b20209805bf8d7e88fd1c8af8163aec670ebe587d032710
Instruction ID: 45825ab8938f62c8f4abe5578adb60d5e83885434bc0bff477176cc9ab34b10b
Opcode Fuzzy Hash: 11a882cf106cb79e4b20209805bf8d7e88fd1c8af8163aec670ebe587d032710
Instruction Fuzzy Hash: 8E11BFB2414208BFDB18AF54DC8AD6AB7BDFF04714B20862EE55692252EB70BC418B20

Function 008DD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 008DD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 008DD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 008DD650

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: f54263517a93d03c16895d8061e4c01633f64082b64dbf76e575484b8f896f13
Instruction ID: d9133e4eede7a52e282b234e6c951725526c58afc716ec75ebe8325f44b23e1c
Opcode Fuzzy Hash: f54263517a93d03c16895d8061e4c01633f64082b64dbf76e575484b8f896f13
Instruction Fuzzy Hash: CB1170B1E05228BFDB108F94AC44FAFBBBCEB45B50F108252F904E7290D2704A018BE1

Function 008D1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 008D168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008D16A1
FreeSid.ADVAPI32(?), ref: 008D16B1

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: b522c37ea033248ed020688d65433e7a0b6fb312b95bc025831bd75a88dfe316
Instruction ID: 120f1e9697350f59ba9f96a1ca799b1c3871bf90ea25b6ed4a3dbc7bdce7d3fe
Opcode Fuzzy Hash: b522c37ea033248ed020688d65433e7a0b6fb312b95bc025831bd75a88dfe316
Instruction Fuzzy Hash: A5F0F4B1950309FFEF00DFE49D89AAEBBBCFB08604F504665E501E2181E774AA449A50

Function 008AC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 008AC36C

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 97c7d3f313ce090bf1534f8bc8e8407154025c7bfea242eb3a7c4ac4b88afe11
Instruction ID: 1b3541fdb14b96967389a491fffe4121c9b70b1b76f4e6cb3e03e730cb75ac0c
Opcode Fuzzy Hash: 97c7d3f313ce090bf1534f8bc8e8407154025c7bfea242eb3a7c4ac4b88afe11
Instruction Fuzzy Hash: 95414776900618AFEF209FB9CC48EBB77B8FB86314F1042A9F905D7680E6709D80CB50

Function 008CD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 008CD28C

Strings

X64, xrefs: 008CD2A8

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: fe2a283d518c62a836ae66bc8b626480679d786de0962f218adae3878883e2ec
Instruction ID: 1bc885c1f229d5ac8ea4673f7f834a5e33d0a6ce305318d0f726896bfca06a93
Opcode Fuzzy Hash: fe2a283d518c62a836ae66bc8b626480679d786de0962f218adae3878883e2ec
Instruction Fuzzy Hash: FBD0E9B581521DEECF94DB90DC88DD9B77CFB14349F104655F506E2140D77495499F10

Function 0089CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 6df62eff897fea677e31b1417e8011e20c5b0cb7f9535fae5d6cc56799a804fb
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 31021D71E002199FDF14DFA9C9906ADFBF1FF48314F298169E819EB384D731AA418B94

Function 008E68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008E6918
FindClose.KERNEL32(00000000), ref: 008E6961

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 0f026cc7049b516e9ac0e288937bdb53122a16f250bafec3f5d98cce66a073a1
Instruction ID: 399f63ecc0f0838b49754a917ba991d1ef861aae114c24522bf03b5e828f2053
Opcode Fuzzy Hash: 0f026cc7049b516e9ac0e288937bdb53122a16f250bafec3f5d98cce66a073a1
Instruction Fuzzy Hash: FE1190716142409FC710DF2AD484A1ABBE5FF85328F14C69DE469CF6A2DB30EC05CB91

Function 008E37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,008F4891,?,?,00000035,?), ref: 008E37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,008F4891,?,?,00000035,?), ref: 008E37F4

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 312323a96a487ced89d41588f2ccdc1059b98050efe9f6b51336024a470beeb4
Instruction ID: 5e5268195f7dff8b27d5dfec67ca359b85023e6e397074c06a4d367e341c069a
Opcode Fuzzy Hash: 312323a96a487ced89d41588f2ccdc1059b98050efe9f6b51336024a470beeb4
Instruction Fuzzy Hash: 0BF0E5B16052292AEB20176B8C4DFEB3AAEFFC5765F000275F509E3281D9609D04C6B1

Function 008DB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 008DB25D
keybd_event.USER32(?,7694C0D0,?,00000000), ref: 008DB270

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: e9b8688fa0d5fc64f3eb707af6bb28c7838bca7dd271425e1f459a7a86b1bca8
Instruction ID: c08c2f5c8afd52d7317e70df5e97740251da5bf107efd12efeb20a46f88c3ebe
Opcode Fuzzy Hash: e9b8688fa0d5fc64f3eb707af6bb28c7838bca7dd271425e1f459a7a86b1bca8
Instruction Fuzzy Hash: 2EF01D7581424DAFDB059FA0C805BAE7BB4FF04309F00810AF955E6291C37996119F94

Function 008D10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008D11FC), ref: 008D10D4
CloseHandle.KERNEL32(?,?,008D11FC), ref: 008D10E9

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 011ff55335d4c3cc5288eead3131af8602b44e5063dab383c7ad35b10b544eb7
Instruction ID: fe2733f254cf92e79770933e678cba925e0f475acc39eb3ae1abe0cca36936da
Opcode Fuzzy Hash: 011ff55335d4c3cc5288eead3131af8602b44e5063dab383c7ad35b10b544eb7
Instruction Fuzzy Hash: 01E04F72018600EEEB252B15FC09E7377A9FF04310B10892EF5A5C04B1DB626CA0EB10

Function 0087CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 008C0C40

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 9e34abe1d3c529335b4cb85738e67b94bd0bd69528010b0a20be71f668858e4b
Instruction ID: a91ef9daa8a34843f980f61eedcbf42fe878cefa4ca43cdce5d829ede0349261
Opcode Fuzzy Hash: 9e34abe1d3c529335b4cb85738e67b94bd0bd69528010b0a20be71f668858e4b
Instruction Fuzzy Hash: AF324470904218DBDF14DF94C880BEDBBB5FB05348F24806DE80AEB296DB75EA45DB61

Function 008A676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,008A6766,?,?,00000008,?,?,008AFEFE,00000000), ref: 008A6998

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 8859cbcfd05377ecaec92f21b6b9288aade7c2e514ebfa95a245a7c847de87b6
Instruction ID: 0dc82cec07daad9fca6c2f051884cc6eead1756383c73182bc0797cd5356a647
Opcode Fuzzy Hash: 8859cbcfd05377ecaec92f21b6b9288aade7c2e514ebfa95a245a7c847de87b6
Instruction Fuzzy Hash: D3B16E31510608DFE715CF28C48AB657BE0FF06364F298658E999CF6A5D339E9A1CB40

Function 0088B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 008C851F

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ed220bdd874db85815af22ad4f2a0f9af121e6cc6c6d343495a783600786e20b
Instruction ID: 899d0dfed7bdabd708ad9e454a523ee20dbf1681fca52b4f72961b46d2d928b0
Opcode Fuzzy Hash: ed220bdd874db85815af22ad4f2a0f9af121e6cc6c6d343495a783600786e20b
Instruction Fuzzy Hash: 14124E71900229DFDB14DF58C881BAEB7F5FF48710F1481AAE849EB255DB709E81CB94

Function 008EEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 008EEABD

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: f48e4831c16cf0c14c7d3ebed7e7e5585abb6d8473e1aa5767b630887b23cee3
Instruction ID: 0ff90fc5b14d26bff8949e925b5f01abc85972ca121a14fb1491eee75be05d55
Opcode Fuzzy Hash: f48e4831c16cf0c14c7d3ebed7e7e5585abb6d8473e1aa5767b630887b23cee3
Instruction Fuzzy Hash: 7FE01A312102149FC710EF6AD804E9AB7E9FFA9764F00842AFC49C7291DBB0E8408B91

Function 008909D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,008903EE), ref: 008909DA

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f2186fa7556b118037bbaf52851924e4cfa28b9d45be9b495200e82146f2b644
Instruction ID: a671a80208a6119f6cda156b34aaaeca8754292876a4f5d32ea3016fd51647f2
Opcode Fuzzy Hash: f2186fa7556b118037bbaf52851924e4cfa28b9d45be9b495200e82146f2b644
Instruction Fuzzy Hash:

Function 0089781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0089798B

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 105b450523e1649301ffa90e137fbbd2545c2f16bb718132ab4ff5bb287f466e
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: D951696163C64A9BDF38752C885D7BE2BC5FB12348F1C0539E882E7682C619DE02D35E

Function 008A6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d5a8e90960c8f1d2ba8e33c6308e8977bf94e22675592eb2d05fdde4f66e38
Instruction ID: 1b0cba2d3fa15c0dbeba15f5be1d8efd7691bb5841c057fc75cc0625c0f53cec
Opcode Fuzzy Hash: 89d5a8e90960c8f1d2ba8e33c6308e8977bf94e22675592eb2d05fdde4f66e38
Instruction Fuzzy Hash: 8332D022E2DF414DE7239634DC22326A649EFB73C5F15D737E81AB5DA5EB29C483A100

Function 0088CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a039471da09ba94f2fcf04afa7001cb0c6ce103b1bb2b5016f0ddc1e6fb4488
Instruction ID: a5271d885d2b0550bf15e097e8bb1f8ac2663c1a87e9888dfed51afaacd8af1e
Opcode Fuzzy Hash: 2a039471da09ba94f2fcf04afa7001cb0c6ce103b1bb2b5016f0ddc1e6fb4488
Instruction Fuzzy Hash: 07321132A041198BCF28CE29C494F7DBBB2FB45314F28856ED88ECB695D234DD81EB51

Function 00877920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c483beafa9be102c50466c87b48cc758905471dc4af0d40776eddddc9c684dda
Instruction ID: 27c35ca02b0a6ceef9c1cfbd93ae8ea88eaef3d44ca4d800402790c176930c7c
Opcode Fuzzy Hash: c483beafa9be102c50466c87b48cc758905471dc4af0d40776eddddc9c684dda
Instruction Fuzzy Hash: B522ADB0A0460A9FDF14DFA8C881AEEB7B5FF48314F148529E816E7395EB35E910CB51

Function 008791C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c529bffa7e80b640d919a901db19c2273de868e665f038ab06d9afbdcc0f5b70
Instruction ID: 685bd8c70cad02d24edb7cb07262983dfdfe3bd63c06b902cf231f36a7a8af5d
Opcode Fuzzy Hash: c529bffa7e80b640d919a901db19c2273de868e665f038ab06d9afbdcc0f5b70
Instruction Fuzzy Hash: 9802B5B0A10119EFDB04DF58D881AEEB7B5FF54304F108169E95ADB395EB31EA20CB91

Function 008A9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52225a380b986bb2e50f4b6624964a122f01e475378c5e1b7715c77a1b8dd2a6
Instruction ID: 74fbe515ca79fd9e729137667054521215f68c1f62d2f1035128a74568d3c882
Opcode Fuzzy Hash: 52225a380b986bb2e50f4b6624964a122f01e475378c5e1b7715c77a1b8dd2a6
Instruction Fuzzy Hash: 9EB1D220E3AF414DD62396398831336FA5CAFBB6D5F91D71BFC2674D62EB2285839140

Function 00897A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c88912d78f17b9f7e76a7e7888c5e540673094bc27063998412c1867103ad44f
Instruction ID: f91c3c07ee2af0abcd856d2d7e404d97143fd8be0754761141577203fe9e8c7a
Opcode Fuzzy Hash: c88912d78f17b9f7e76a7e7888c5e540673094bc27063998412c1867103ad44f
Instruction Fuzzy Hash: 2761897133871A96DE38BA2C8C95BBE23D5FF42768F1C091AE943DB281D6119E42C356

Function 00897CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d03d44300341ae8107b29ad537ea03f0fe37ad3e27bb54be6a3212d7755711ef
Instruction ID: 2ae9cd3516b8a21a1cbb27b87475cb178e3065e9e9464a80a4934eccf0bf9820
Opcode Fuzzy Hash: d03d44300341ae8107b29ad537ea03f0fe37ad3e27bb54be6a3212d7755711ef
Instruction Fuzzy Hash: 0D61697173C70997DE387A2C8855BBF2394FF42B08F1C0959E943DB685EA12AD428356

Function 008E2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 105625d196adb4cacc2b8cf326e0780631eaf0d45eebb35ffc3e5cf000b08b56
Instruction ID: 6993a225497bb729d2b222709f5de7219772f2010995d7905d0f5705717935d9
Opcode Fuzzy Hash: 105625d196adb4cacc2b8cf326e0780631eaf0d45eebb35ffc3e5cf000b08b56
Instruction Fuzzy Hash: 1C21A8326206158BD728CF79C81267A73E9F755310F55862EE4A7C37D0DE35A904DB80

Function 008F2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 008F2B30
DeleteObject.GDI32(00000000), ref: 008F2B43
DestroyWindow.USER32 ref: 008F2B52
GetDesktopWindow.USER32 ref: 008F2B6D
GetWindowRect.USER32(00000000), ref: 008F2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 008F2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 008F2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F2CF8
GetClientRect.USER32(00000000,?), ref: 008F2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 008F2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F2D80
GlobalLock.KERNEL32(00000000), ref: 008F2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F2D98
GlobalUnlock.KERNEL32(00000000), ref: 008F2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F2DA8
GlobalFree.KERNEL32(00000000), ref: 008F2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0090FC38,00000000), ref: 008F2DDB
GlobalFree.KERNEL32(00000000), ref: 008F2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 008F2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 008F2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F303F

Strings

AutoIt v3, xrefs: 008F2CF2
, xrefs: 008F2FC5
static, xrefs: 008F2D3A, 008F2E91
DISPLAY, xrefs: 008F2EA2

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: aad809456f245fd59cd0b13bc4ee62ff8417c3132265e841d57eaf39b6a76426
Instruction ID: 276de968b6450524c39d4666502bd9f60418d6521995a36295bf0aec4526aad7
Opcode Fuzzy Hash: aad809456f245fd59cd0b13bc4ee62ff8417c3132265e841d57eaf39b6a76426
Instruction Fuzzy Hash: F9026BB5510209AFDB14DF68CC89EAE7BB9FB49714F108218F915EB2A1CB70ED01DB60

Function 009070D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0090712F
GetSysColorBrush.USER32(0000000F), ref: 00907160
GetSysColor.USER32(0000000F), ref: 0090716C
SetBkColor.GDI32(?,000000FF), ref: 00907186
SelectObject.GDI32(?,?), ref: 00907195
InflateRect.USER32(?,000000FF,000000FF), ref: 009071C0
GetSysColor.USER32(00000010), ref: 009071C8
CreateSolidBrush.GDI32(00000000), ref: 009071CF
FrameRect.USER32(?,?,00000000), ref: 009071DE
DeleteObject.GDI32(00000000), ref: 009071E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00907230
FillRect.USER32(?,?,?), ref: 00907262
GetWindowLongW.USER32(?,000000F0), ref: 00907284

Part of subcall function 009073E8: GetSysColor.USER32(00000012), ref: 00907421
Part of subcall function 009073E8: SetTextColor.GDI32(?,?), ref: 00907425
Part of subcall function 009073E8: GetSysColorBrush.USER32(0000000F), ref: 0090743B
Part of subcall function 009073E8: GetSysColor.USER32(0000000F), ref: 00907446
Part of subcall function 009073E8: GetSysColor.USER32(00000011), ref: 00907463
Part of subcall function 009073E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00907471
Part of subcall function 009073E8: SelectObject.GDI32(?,00000000), ref: 00907482
Part of subcall function 009073E8: SetBkColor.GDI32(?,00000000), ref: 0090748B
Part of subcall function 009073E8: SelectObject.GDI32(?,?), ref: 00907498
Part of subcall function 009073E8: InflateRect.USER32(?,000000FF,000000FF), ref: 009074B7
Part of subcall function 009073E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009074CE
Part of subcall function 009073E8: GetWindowLongW.USER32(00000000,000000F0), ref: 009074DB

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: ca7e926afb6eabccf1ef797da7b0a63869b1b4c7a02958b5ff03772a11061b8b
Instruction ID: f152102da4dba74fe6677f13227c15cbd1bf4ff6ef63ced6ceddf38adbdb9f4c
Opcode Fuzzy Hash: ca7e926afb6eabccf1ef797da7b0a63869b1b4c7a02958b5ff03772a11061b8b
Instruction Fuzzy Hash: E4A19EB241C301AFDB109FA4DC48A6BBBA9FF89331F100B19F962961E1D735E944DB51

Function 008F2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 008F273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 008F286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 008F28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 008F28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 008F2900
GetClientRect.USER32(00000000,?), ref: 008F290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 008F2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 008F2964
GetStockObject.GDI32(00000011), ref: 008F2974
SelectObject.GDI32(00000000,00000000), ref: 008F2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 008F2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008F2991
DeleteDC.GDI32(00000000), ref: 008F299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008F29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 008F29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 008F2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 008F2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 008F2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 008F2A77
GetStockObject.GDI32(00000011), ref: 008F2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 008F2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 008F2A97

Strings

AutoIt v3, xrefs: 008F28F8
static, xrefs: 008F294F, 008F2A71
DISPLAY, xrefs: 008F295A
msctls_progress32, xrefs: 008F2A13

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: b3b1ff1df70eebab397c6c6e9fed0e7712d7d56bf8c287a6599ffca6a1956c75
Instruction ID: 4f69484e124941d7f45cacb02607f708f5202ac6e95f9417cd98e0dd916ab534
Opcode Fuzzy Hash: b3b1ff1df70eebab397c6c6e9fed0e7712d7d56bf8c287a6599ffca6a1956c75
Instruction Fuzzy Hash: D7B15CB5A50219AFEB14DFA8CC49FAE7BA9FB49710F108214FA14E7290D770ED40DB90

Function 008E4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008E4AED
GetDriveTypeW.KERNEL32(?,0090CB68,?,\\.\,0090CC08), ref: 008E4BCA
SetErrorMode.KERNEL32(00000000,0090CB68,?,\\.\,0090CC08), ref: 008E4D36

Strings

RAMDisk, xrefs: 008E4BF4
Removable, xrefs: 008E4C10, 008E4C15
\\.\, xrefs: 008E4B3F
SAS, xrefs: 008E4CC9
Unknown, xrefs: 008E4BED, 008E4C83
Fibre, xrefs: 008E4CAD
PhysicalDrive, xrefs: 008E4B76
MMC, xrefs: 008E4CDE
ATA, xrefs: 008E4C98
Fixed, xrefs: 008E4C09
SATA, xrefs: 008E4CD0
Network, xrefs: 008E4C02
SCSI, xrefs: 008E4C8A
CDROM, xrefs: 008E4BFB
USB, xrefs: 008E4CB4
FileBackedVirtual, xrefs: 008E4CEC
Virtual, xrefs: 008E4CE5
RAID, xrefs: 008E4CBB
1394, xrefs: 008E4C9F
ATAPI, xrefs: 008E4C91
SSA, xrefs: 008E4CA6
iSCSI, xrefs: 008E4CC2
SSD, xrefs: 008E4C4A

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 05adb2026b2b799f6197f95cc35f2ca2fdd40bbee3a7095f4d0acf0e3de64836
Instruction ID: 49996e6f81d96703908c1d8150ad63584f20e0c3dd71e98db69a2c10db0d5388
Opcode Fuzzy Hash: 05adb2026b2b799f6197f95cc35f2ca2fdd40bbee3a7095f4d0acf0e3de64836
Instruction Fuzzy Hash: 9F619030609249ABCB14DF29C98296977F1FB86308F34E015F80EEB691DB35ED41DB52

Function 009073E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00907421
SetTextColor.GDI32(?,?), ref: 00907425
GetSysColorBrush.USER32(0000000F), ref: 0090743B
GetSysColor.USER32(0000000F), ref: 00907446
CreateSolidBrush.GDI32(?), ref: 0090744B
GetSysColor.USER32(00000011), ref: 00907463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00907471
SelectObject.GDI32(?,00000000), ref: 00907482
SetBkColor.GDI32(?,00000000), ref: 0090748B
SelectObject.GDI32(?,?), ref: 00907498
InflateRect.USER32(?,000000FF,000000FF), ref: 009074B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009074CE
GetWindowLongW.USER32(00000000,000000F0), ref: 009074DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0090752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00907554
InflateRect.USER32(?,000000FD,000000FD), ref: 00907572
DrawFocusRect.USER32(?,?), ref: 0090757D
GetSysColor.USER32(00000011), ref: 0090758E
SetTextColor.GDI32(?,00000000), ref: 00907596
DrawTextW.USER32(?,009070F5,000000FF,?,00000000), ref: 009075A8
SelectObject.GDI32(?,?), ref: 009075BF
DeleteObject.GDI32(?), ref: 009075CA
SelectObject.GDI32(?,?), ref: 009075D0
DeleteObject.GDI32(?), ref: 009075D5
SetTextColor.GDI32(?,?), ref: 009075DB
SetBkColor.GDI32(?,?), ref: 009075E5

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: c64adb0f780847ab321cf3ed8083abc96cfb985338d8ed693fa5ddc0f231ea47
Instruction ID: d69b70b8f7ae0462a1c6196eeb87db4c7de145aa5c27d0e84976cccea9c2dcee
Opcode Fuzzy Hash: c64adb0f780847ab321cf3ed8083abc96cfb985338d8ed693fa5ddc0f231ea47
Instruction Fuzzy Hash: 10616276D08218AFDF019FA4DC49AEEBF79EB09320F104215F911AB2E1D775A940DB90

Function 00900FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00901128
GetDesktopWindow.USER32 ref: 0090113D
GetWindowRect.USER32(00000000), ref: 00901144
GetWindowLongW.USER32(?,000000F0), ref: 00901199
DestroyWindow.USER32(?), ref: 009011B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 009011ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0090120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0090121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00901232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00901245
IsWindowVisible.USER32(00000000), ref: 009012A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 009012BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 009012D0
GetWindowRect.USER32(00000000,?), ref: 009012E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0090130E
GetMonitorInfoW.USER32(00000000,?), ref: 00901328
CopyRect.USER32(?,?), ref: 0090133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 009013AA

Strings

tooltips_class32, xrefs: 009011E6
(, xrefs: 0090131B
0, xrefs: 009010D3

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: d1ef8fc518506cb8d3005e1786ced8cc654eb6b517675aefce51b006265b5bbe
Instruction ID: 60dc96cab401728080d8681f473ab7e143f948d7cd0b9fa37bcf60ecf615025b
Opcode Fuzzy Hash: d1ef8fc518506cb8d3005e1786ced8cc654eb6b517675aefce51b006265b5bbe
Instruction Fuzzy Hash: B5B17C71608341AFD714DF68C884B6ABBE8FF84754F00891DF999DB2A1CB71E845CB92

Function 00900241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009002E5
_wcslen.LIBCMT ref: 0090031F
_wcslen.LIBCMT ref: 00900389
_wcslen.LIBCMT ref: 009003F1
_wcslen.LIBCMT ref: 00900475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 009004C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00900504

Part of subcall function 0088F9F2: _wcslen.LIBCMT ref: 0088F9FD

Part of subcall function 008D223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 008D2258
Part of subcall function 008D223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 008D228A

Strings

GETTEXT, xrefs: 009003EC, 00900407
GETSELECTEDCOUNT, xrefs: 00900470, 0090048B
GETSUBITEMCOUNT, xrefs: 00900384, 0090039F
SELECTCLEAR, xrefs: 0090052D
GETITEMCOUNT, xrefs: 00900316, 00900337
FINDITEM, xrefs: 00900627
VIEWCHANGE, xrefs: 00900675
GETSELECTED, xrefs: 009005E1
SELECTALL, xrefs: 00900515
SELECTINVERT, xrefs: 0090057E
ISSELECTED, xrefs: 009004DD
SELECT, xrefs: 00900548
DESELECT, xrefs: 0090059C

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: f7aa96fc1e1b79f71f48af20ca3aad146177d093b3d60ac5b8e948bc5bbd0b2a
Instruction ID: 5590849f486f15c63c1666ccf1f6cbeeee5673565f78c8a9ea4dc5b5ba7c0bce
Opcode Fuzzy Hash: f7aa96fc1e1b79f71f48af20ca3aad146177d093b3d60ac5b8e948bc5bbd0b2a
Instruction Fuzzy Hash: 9EE17C312082018FC724DF28C951A2AB7E6FFD8714F148A5DF89A9B3A5DB31ED45CB52

Function 00888891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00888968
GetSystemMetrics.USER32(00000007), ref: 00888970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0088899B
GetSystemMetrics.USER32(00000008), ref: 008889A3
GetSystemMetrics.USER32(00000004), ref: 008889C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008889E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008889F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00888A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00888A3C
GetClientRect.USER32(00000000,000000FF), ref: 00888A5A
GetStockObject.GDI32(00000011), ref: 00888A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00888A81

Part of subcall function 0088912D: GetCursorPos.USER32(?), ref: 00889141
Part of subcall function 0088912D: ScreenToClient.USER32(00000000,?), ref: 0088915E
Part of subcall function 0088912D: GetAsyncKeyState.USER32(00000001), ref: 00889183
Part of subcall function 0088912D: GetAsyncKeyState.USER32(00000002), ref: 0088919D

SetTimer.USER32(00000000,00000000,00000028,008890FC), ref: 00888AA8

Strings

AutoIt v3 GUI, xrefs: 00888A20

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: fef57ffaf2005afae7be8b12cd55f78984de59fa81d79afaa4dc2fa6bbad5039
Instruction ID: 7f8fad257259a88269d16fd6917e85a8f2bb579c297b2c090197105a2d7ec0b3
Opcode Fuzzy Hash: fef57ffaf2005afae7be8b12cd55f78984de59fa81d79afaa4dc2fa6bbad5039
Instruction Fuzzy Hash: 7DB16775A1420AEFDB14EFA8DC85FAA3BB5FB48314F104229FA15E7290DB34E840DB51

Function 008D0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008D10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008D1114
Part of subcall function 008D10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,008D0B9B,?,?,?), ref: 008D1120
Part of subcall function 008D10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,008D0B9B,?,?,?), ref: 008D112F
Part of subcall function 008D10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,008D0B9B,?,?,?), ref: 008D1136
Part of subcall function 008D10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008D114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 008D0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 008D0E29
GetLengthSid.ADVAPI32(?), ref: 008D0E40
GetAce.ADVAPI32(?,00000000,?), ref: 008D0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008D0E96
GetLengthSid.ADVAPI32(?), ref: 008D0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 008D0EB5
HeapAlloc.KERNEL32(00000000), ref: 008D0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 008D0EDD
CopySid.ADVAPI32(00000000), ref: 008D0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 008D0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008D0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 008D0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008D0F6E
HeapFree.KERNEL32(00000000), ref: 008D0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008D0F7E
HeapFree.KERNEL32(00000000), ref: 008D0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008D0F8E
HeapFree.KERNEL32(00000000), ref: 008D0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 008D0FA1
HeapFree.KERNEL32(00000000), ref: 008D0FA8

Part of subcall function 008D1193: GetProcessHeap.KERNEL32(00000008,008D0BB1,?,00000000,?,008D0BB1,?), ref: 008D11A1
Part of subcall function 008D1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,008D0BB1,?), ref: 008D11A8
Part of subcall function 008D1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,008D0BB1,?), ref: 008D11B7

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: a1895e1a30a90a5a011c396e8325ee78300ba7c95ee12793ab7e1a1d6347b992
Instruction ID: 151e03d17dc7517e895989ee18b5ad10913183cf4c2e32bab5ac2a5f1169d660
Opcode Fuzzy Hash: a1895e1a30a90a5a011c396e8325ee78300ba7c95ee12793ab7e1a1d6347b992
Instruction Fuzzy Hash: 4E714AB290420AAFDF209FA5DC48BEEBBB8FF04310F144216F959E6291DB719905DF60

Function 008FC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008FC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0090CC08,00000000,?,00000000,?,?), ref: 008FC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 008FC5A4
_wcslen.LIBCMT ref: 008FC5F4
_wcslen.LIBCMT ref: 008FC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 008FC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 008FC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 008FC84D
RegCloseKey.ADVAPI32(?), ref: 008FC881
RegCloseKey.ADVAPI32(00000000), ref: 008FC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 008FC960

Strings

REG_QWORD, xrefs: 008FC8C3
REG_DWORD, xrefs: 008FC804
REG_SZ, xrefs: 008FC644
REG_MULTI_SZ, xrefs: 008FC6F5
REG_BINARY, xrefs: 008FC913
REG_EXPAND_SZ, xrefs: 008FC5CD

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 510f2ee63fd93472821eaf9631cc19f54e70d1b62701e3afb1f86ce06e76e44f
Instruction ID: 273c3c05090b5a94c870b4d99416c357c9691ac358cca2851d8d091433cf52e5
Opcode Fuzzy Hash: 510f2ee63fd93472821eaf9631cc19f54e70d1b62701e3afb1f86ce06e76e44f
Instruction Fuzzy Hash: 4B1256756042059FDB14DF28C981A2AB7E5FF88714F14885CF99ADB3A2DB31ED41CB82

Function 0090091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009009C6
_wcslen.LIBCMT ref: 00900A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00900A54
_wcslen.LIBCMT ref: 00900A8A
_wcslen.LIBCMT ref: 00900B06
_wcslen.LIBCMT ref: 00900B81

Part of subcall function 0088F9F2: _wcslen.LIBCMT ref: 0088F9FD

Part of subcall function 008D2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008D2BFA

Strings

GETTEXT, xrefs: 00900C97
GETITEMCOUNT, xrefs: 00900C1E
CHECK, xrefs: 00900A85, 00900AA0
UNCHECK, xrefs: 00900D3E
COLLAPSE, xrefs: 00900B01, 00900B1C
EXPAND, xrefs: 00900BF8
ISCHECKED, xrefs: 00900CE1
EXISTS, xrefs: 00900B7C, 00900B97
GETSELECTED, xrefs: 00900C4E
GETTOTALCOUNT, xrefs: 009009F2, 00900A17
SELECT, xrefs: 00900D11

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: a284d5de7ccb54fa6f04457bd70d6b5b6e9408ce10fe041b3a679096bd6e3562
Instruction ID: 987cb2afa442a6a7bbbf4873b5fd7e36a4531ffe856ee74bce2b51795744df92
Opcode Fuzzy Hash: a284d5de7ccb54fa6f04457bd70d6b5b6e9408ce10fe041b3a679096bd6e3562
Instruction Fuzzy Hash: 75E138712087019FCB14DF28C450A2AB7E5FFD9314F148959F89A9B3A2DB31ED45CB92

Function 008FC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,008FB6AE,?,?), ref: 008FC9B5
_wcslen.LIBCMT ref: 008FC9F1
_wcslen.LIBCMT ref: 008FCA68
_wcslen.LIBCMT ref: 008FCA9E
_wcslen.LIBCMT ref: 008FCAF9
_wcslen.LIBCMT ref: 008FCB2F
_wcslen.LIBCMT ref: 008FCB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 008FCA62, 008FCA67
HKEY_USERS, xrefs: 008FCBDF
HKEY_CLASSES_ROOT, xrefs: 008FCAF3, 008FCAF8
HKCR, xrefs: 008FCB29, 008FCB2E
HKEY_CURRENT_CONFIG, xrefs: 008FCB79, 008FCB7E
HKEY_CURRENT_USER, xrefs: 008FCBBD
HKLM, xrefs: 008FCA98, 008FCA9D
HKU, xrefs: 008FCBF0
HKCU, xrefs: 008FCBCE
HKCC, xrefs: 008FCBAC

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 3c57791cff102df5a324cf988e88b46894dcc392e3157ffa8f5bef897160b787
Instruction ID: 3541037993a63915a3a670af827ac7d81d9098073e3da11e7ba609822b9c3b31
Opcode Fuzzy Hash: 3c57791cff102df5a324cf988e88b46894dcc392e3157ffa8f5bef897160b787
Instruction Fuzzy Hash: 8171D07260012E8BCB20DE7CCE519BA3791FFA0764F250528FA56E7285EA31DF4587A1

Function 0090833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0090835A
_wcslen.LIBCMT ref: 0090836E
_wcslen.LIBCMT ref: 00908391
_wcslen.LIBCMT ref: 009083B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 009083F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00905BF2), ref: 0090844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00908487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 009084CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00908501
FreeLibrary.KERNEL32(?), ref: 0090850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0090851D
DestroyIcon.USER32(?,?,?,?,?,00905BF2), ref: 0090852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00908549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00908555

Strings

.dll, xrefs: 009083AB
.icl, xrefs: 00908368
.exe, xrefs: 00908388

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 2485f32a355216124ee46851ee8ce329364a86d25c591c81b003782fbc5f8d04
Instruction ID: 3a541b519e0f96f20461c26bc3ad38b51608b0441b927ebd7f5d97c1e657f6fa
Opcode Fuzzy Hash: 2485f32a355216124ee46851ee8ce329364a86d25c591c81b003782fbc5f8d04
Instruction Fuzzy Hash: 4D61ADB1614219BEEB249F64CC81BBF7BACFB04B21F104649F855D61E1DB74A980DBA0

Function 00877778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Cannot parse #include, xrefs: 008B5279
#requireadmin, xrefs: 008777FF
#include, xrefs: 00877847
#comments-start, xrefs: 0087785F, 008778B1
Unterminated group of comments, xrefs: 008B528C
#ce, xrefs: 008778ED
Bad directive syntax error, xrefs: 008B519A
#comments-end, xrefs: 008778D9
", xrefs: 008B5153
#include-once, xrefs: 0087782F
#OnAutoItStartRegister, xrefs: 00877817
', xrefs: 008B5169
#pragma compile, xrefs: 008777D3
#cs, xrefs: 00877873, 008778C5
#notrayicon, xrefs: 008777E7

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 14d0218c3666c95961d12588adf28c194805387de28b27aa44ecaf88ca4aff38
Instruction ID: 6f26da8caa28f74656ed853a65bc7b8fbc5f53a55c9fc305f7cba849166e089a
Opcode Fuzzy Hash: 14d0218c3666c95961d12588adf28c194805387de28b27aa44ecaf88ca4aff38
Instruction Fuzzy Hash: 0B81F971604205BFDB25BF68CC92FAE3768FF55344F048024F909EA29AEB70DA51D792

Function 008E3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 008E3EF8
_wcslen.LIBCMT ref: 008E3F03
_wcslen.LIBCMT ref: 008E3F5A
_wcslen.LIBCMT ref: 008E3F98
GetDriveTypeW.KERNEL32(?), ref: 008E3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008E401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008E4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008E4087

Strings

closed, xrefs: 008E3F08, 008E3F2D, 008E3F46, 008E3F7E, 008E3F97
wait, xrefs: 008E4044
close, xrefs: 008E3EFE, 008E3F18
open , xrefs: 008E3FE5
open, xrefs: 008E3F54, 008E3F59
set cd door , xrefs: 008E4028
type cdaudio alias cd wait, xrefs: 008E4001
close cd wait, xrefs: 008E4072

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 4b0107d8897241dbb8732e8962e98fb6bbe0c89c1d63c2da611c3a164ac061e6
Instruction ID: 18aa7d1cb9677e70b5a2c63a0a5f69103b3f926914ac31a9723c426abd298b48
Opcode Fuzzy Hash: 4b0107d8897241dbb8732e8962e98fb6bbe0c89c1d63c2da611c3a164ac061e6
Instruction Fuzzy Hash: 1171FF326046019FC710EF29C88086AB7F4FF95768F00892DF999D7255EB30DE45CB92

Function 008D5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 008D5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 008D5A40
SetWindowTextW.USER32(?,?), ref: 008D5A57
GetDlgItem.USER32(?,000003EA), ref: 008D5A6C
SetWindowTextW.USER32(00000000,?), ref: 008D5A72
GetDlgItem.USER32(?,000003E9), ref: 008D5A82
SetWindowTextW.USER32(00000000,?), ref: 008D5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 008D5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 008D5AC3
GetWindowRect.USER32(?,?), ref: 008D5ACC
_wcslen.LIBCMT ref: 008D5B33
SetWindowTextW.USER32(?,?), ref: 008D5B6F
GetDesktopWindow.USER32 ref: 008D5B75
GetWindowRect.USER32(00000000), ref: 008D5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 008D5BD3
GetClientRect.USER32(?,?), ref: 008D5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 008D5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 008D5C2F

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 3a259d916faaae942bc2eea08908321fffd138be7cfdec8a7a57448e66a53e07
Instruction ID: af21d30057abdbeeed54ab89ccf5223eee542544d6d352a27e7b7cf7c1594eba
Opcode Fuzzy Hash: 3a259d916faaae942bc2eea08908321fffd138be7cfdec8a7a57448e66a53e07
Instruction Fuzzy Hash: D9717E71900B09AFDB20DFA8CE85A6EBBF5FF48714F104A1AE142E26A0D775E940DB50

Function 008EFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 008EFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 008EFE32
LoadCursorW.USER32(00000000,00007F00), ref: 008EFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 008EFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 008EFE53
LoadCursorW.USER32(00000000,00007F01), ref: 008EFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 008EFE69
LoadCursorW.USER32(00000000,00007F88), ref: 008EFE74
LoadCursorW.USER32(00000000,00007F80), ref: 008EFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 008EFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 008EFE95
LoadCursorW.USER32(00000000,00007F85), ref: 008EFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 008EFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 008EFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 008EFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 008EFECC
GetCursorInfo.USER32(?), ref: 008EFEDC
GetLastError.KERNEL32 ref: 008EFF1E

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 33ef39babb02fda85983136dcc934cdacac24c86d7cae41e4982d3478d3f8d1e
Instruction ID: de7e28af50838649d581c7bbb58d49f6bc621b22b32c8596c87f285554ff7160
Opcode Fuzzy Hash: 33ef39babb02fda85983136dcc934cdacac24c86d7cae41e4982d3478d3f8d1e
Instruction Fuzzy Hash: A44152B0D083596ADB109FBA8C8985EBFE8FF05354B50852AF11DE7281DB78E901CF91

Function 008900C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 008900C6

Part of subcall function 008900ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0094070C,00000FA0,DE7F3BEF,?,?,?,?,008B23B3,000000FF), ref: 0089011C
Part of subcall function 008900ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,008B23B3,000000FF), ref: 00890127
Part of subcall function 008900ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,008B23B3,000000FF), ref: 00890138
Part of subcall function 008900ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0089014E
Part of subcall function 008900ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0089015C
Part of subcall function 008900ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0089016A
Part of subcall function 008900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00890195
Part of subcall function 008900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008901A0

___scrt_fastfail.LIBCMT ref: 008900E7

Part of subcall function 008900A3: __onexit.LIBCMT ref: 008900A9

Strings

kernel32.dll, xrefs: 00890133
SleepConditionVariableCS, xrefs: 00890154
InitializeConditionVariable, xrefs: 00890148
WakeAllConditionVariable, xrefs: 00890162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00890122

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: e4c83bc3f7d09a78ff8c0be29c37afb57887b41ecc245cee9952effa1859f2a2
Instruction ID: 84466dd44e6f615d62cc28bb9e5cca271525be9cb11a153009fdc564f238ac03
Opcode Fuzzy Hash: e4c83bc3f7d09a78ff8c0be29c37afb57887b41ecc245cee9952effa1859f2a2
Instruction Fuzzy Hash: 15210B7265D710AFDB207BA4AC09F6A37D4FB85B55F04023AF901E76D1DB749C009E91

Function 008D30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008D318D
_wcslen.LIBCMT ref: 008D31F8

Strings

CLASSNN, xrefs: 008D31F3, 008D3204
REGEXPCLASS, xrefs: 008D3255, 008D3266
NAME, xrefs: 008D3335, 008D3346
TEXT, xrefs: 008D347C
INSTANCE, xrefs: 008D3453
CLASS, xrefs: 008D3188, 008D31A5

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: f2998ec80bf3ec417e3da645d15f7290c535f6475325b976b9c884a1fb0b34f9
Instruction ID: 6f6b883c605cc231bf5f1db66734551ea28ba24af45dbfe6e8fee32329e4c371
Opcode Fuzzy Hash: f2998ec80bf3ec417e3da645d15f7290c535f6475325b976b9c884a1fb0b34f9
Instruction Fuzzy Hash: 91E1E732A00616ABCF189F68C451AEDFBB1FF54714F14832AE456F7340DB30AE458B92

Function 008E44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0090CC08), ref: 008E4527
_wcslen.LIBCMT ref: 008E453B
_wcslen.LIBCMT ref: 008E4599
_wcslen.LIBCMT ref: 008E45F4
_wcslen.LIBCMT ref: 008E463F
_wcslen.LIBCMT ref: 008E46A7

Part of subcall function 0088F9F2: _wcslen.LIBCMT ref: 0088F9FD

GetDriveTypeW.KERNEL32(?,00936BF0,00000061), ref: 008E4743

Strings

network, xrefs: 008E469D, 008E46A2
fixed, xrefs: 008E4635, 008E463A
unknown, xrefs: 008E4708
cdrom, xrefs: 008E458F, 008E4594
all, xrefs: 008E4531, 008E4536
ramdisk, xrefs: 008E46F1
removable, xrefs: 008E45EA, 008E45EF

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 7bb8991fbc57161b91a4a1d51bbe2c69c7c78c3e23ca271c591f542b86acc78b
Instruction ID: 4ef330531ea0f8f72ccf1b4035642707e7385dd017871a1c06f5a8814eb90071
Opcode Fuzzy Hash: 7bb8991fbc57161b91a4a1d51bbe2c69c7c78c3e23ca271c591f542b86acc78b
Instruction Fuzzy Hash: 8DB1F3716083429FC710DF2AC890A6EB7E5FFA6724F50992DF49AC72A1D730D845CB92

Function 008F3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0090CC08), ref: 008F40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 008F40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0090CC08), ref: 008F40F2
FreeLibrary.KERNEL32(00000000,?,0090CC08), ref: 008F413E
StringFromGUID2.OLE32(?,?,00000028,?,0090CC08), ref: 008F41A8
SysFreeString.OLEAUT32(00000009), ref: 008F4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 008F42C8
SysFreeString.OLEAUT32(?), ref: 008F42F2

Strings

GetModuleHandleExW, xrefs: 008F40C7
kernel32.dll, xrefs: 008F40B6

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 1746d9f2a1ce44c95fab85e799a3b5ae38e7de4c1db0c45bc008cc9c8e32035f
Instruction ID: c130ff3137ffce8aba0d2515cc4edf2c6dd82103ad4be44923e93a21b6b710d5
Opcode Fuzzy Hash: 1746d9f2a1ce44c95fab85e799a3b5ae38e7de4c1db0c45bc008cc9c8e32035f
Instruction Fuzzy Hash: 78120A75A00119AFDB14DF64C884EBEB7B5FF85318F248099EA05EB251D731ED86CBA0

Function 0087326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00941990), ref: 008B2F8D
GetMenuItemCount.USER32(00941990), ref: 008B303D
GetCursorPos.USER32(?), ref: 008B3081
SetForegroundWindow.USER32(00000000), ref: 008B308A
TrackPopupMenuEx.USER32(00941990,00000000,?,00000000,00000000,00000000), ref: 008B309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008B30A9

Strings

0, xrefs: 0087327D

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 838d31bbcbc31d49ccc77d3b4dfda258e6478288de6b8aa7f521392387a58143
Instruction ID: dbc1a6d593331c07449b51c3f08000056ee058533554282f446c503585c6ba6e
Opcode Fuzzy Hash: 838d31bbcbc31d49ccc77d3b4dfda258e6478288de6b8aa7f521392387a58143
Instruction Fuzzy Hash: 1971F770644205BEEB359F29CC49FEABF64FF05364F204216F528E62E1C7B1A910E751

Function 00906CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00906DEB

Part of subcall function 00876B57: _wcslen.LIBCMT ref: 00876B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00906E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00906E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00906E94
DestroyWindow.USER32(?), ref: 00906EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00870000,00000000), ref: 00906EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00906EFD
GetDesktopWindow.USER32 ref: 00906F16
GetWindowRect.USER32(00000000), ref: 00906F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00906F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00906F4D

Part of subcall function 00889944: GetWindowLongW.USER32(?,000000EB), ref: 00889952

Strings

tooltips_class32, xrefs: 00906E58, 00906EDD
0, xrefs: 00906D98

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 039d583aeb0261872f021a749fc8bec84a76dd2e417df58bf1937a394c6f90c4
Instruction ID: b60aead9fd6cbc00c24cf0408c2bf3cd78e5a5a80c24cd680b7591c45d902b7c
Opcode Fuzzy Hash: 039d583aeb0261872f021a749fc8bec84a76dd2e417df58bf1937a394c6f90c4
Instruction Fuzzy Hash: 267169B4108345AFDB21CF18DC44EAABBE9FB89304F04491DFA99C72A1C771E956DB12

Function 0090911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00889BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00889BB2

DragQueryPoint.SHELL32(?,?), ref: 00909147

Part of subcall function 00907674: ClientToScreen.USER32(?,?), ref: 0090769A
Part of subcall function 00907674: GetWindowRect.USER32(?,?), ref: 00907710
Part of subcall function 00907674: PtInRect.USER32(?,?,00908B89), ref: 00907720

SendMessageW.USER32(?,000000B0,?,?), ref: 009091B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 009091BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 009091DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00909225
SendMessageW.USER32(?,000000B0,?,?), ref: 0090923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00909255
SendMessageW.USER32(?,000000B1,?,?), ref: 00909277
DragFinish.SHELL32(?), ref: 0090927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00909371

Strings

@GUI_DRAGFILE, xrefs: 00909320
@GUI_DRAGID, xrefs: 009092E9
@GUI_DROPID, xrefs: 0090929E

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 3aac6adde26f79a993797f7894759e5ecda8961356dacc00c4c3526e55ff086f
Instruction ID: a51ec12a84ad15266634f4880a5168274414c2bb34cd2777f70bc94a76e9cc82
Opcode Fuzzy Hash: 3aac6adde26f79a993797f7894759e5ecda8961356dacc00c4c3526e55ff086f
Instruction Fuzzy Hash: 88615671108301AFC715EF64DC85DAFBBE8FBC9750F004A2EF5A5921A1DB309A49CB52

Function 008EC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008EC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 008EC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 008EC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 008EC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 008EC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 008EC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008EC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 008EC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 008EC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 008EC5F0
InternetCloseHandle.WININET(00000000), ref: 008EC5FB

Strings

, xrefs: 008EC575

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: d3428389f579f3ff4f2462bc4ecbb01a877f11341450b3317be0dab36f813bde
Instruction ID: 185c9d2a7c5c34e4675baeff887267909428d1a593ae0a9b5097aef96bee6e16
Opcode Fuzzy Hash: d3428389f579f3ff4f2462bc4ecbb01a877f11341450b3317be0dab36f813bde
Instruction Fuzzy Hash: 3A518CB0904349BFDB219F66C988AAB7BFCFF0A344F00451AF946D6250DB30E945EB60

Function 0090856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00908592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009085A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009085AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009085BA
GlobalLock.KERNEL32(00000000), ref: 009085C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009085D7
GlobalUnlock.KERNEL32(00000000), ref: 009085E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009085E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009085F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0090FC38,?), ref: 00908611
GlobalFree.KERNEL32(00000000), ref: 00908621
GetObjectW.GDI32(?,00000018,?), ref: 00908641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00908671
DeleteObject.GDI32(?), ref: 00908699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 009086AF

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 7608e67a0353bde0c70d8df6654b44a9128662c198046cf90a494740ead80d2c
Instruction ID: fa843e2b77badd23fb73352123aeb272d4b291272f99430d45f4464ffa9f909a
Opcode Fuzzy Hash: 7608e67a0353bde0c70d8df6654b44a9128662c198046cf90a494740ead80d2c
Instruction Fuzzy Hash: CD4149B1610204EFDB119FA9CC88EAB7BBCFF89B11F108158F955E72A0DB319901DB20

Function 008E14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 008E1502
VariantCopy.OLEAUT32(?,?), ref: 008E150B
VariantClear.OLEAUT32(?), ref: 008E1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 008E15FB
VarR8FromDec.OLEAUT32(?,?), ref: 008E1657
VariantInit.OLEAUT32(?), ref: 008E1708
SysFreeString.OLEAUT32(?), ref: 008E178C
VariantClear.OLEAUT32(?), ref: 008E17D8
VariantClear.OLEAUT32(?), ref: 008E17E7
VariantInit.OLEAUT32(00000000), ref: 008E1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 008E1625
Default, xrefs: 008E16AF

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 99b48336ab50e96ed2d2b31b13db7796425b8c2fc9145555438aaffdf7a94d52
Instruction ID: f7fdad4860e7ef7a2b1b646b1b900d7f4f484d5734276fae3a7b30cff3dd54d6
Opcode Fuzzy Hash: 99b48336ab50e96ed2d2b31b13db7796425b8c2fc9145555438aaffdf7a94d52
Instruction Fuzzy Hash: 2BD1F171A00149EBDF00AF6AD889BBDB7B5FF46704F10815AE946EB195DB30DC40DB52

Function 008FB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

Part of subcall function 008FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008FB6AE,?,?), ref: 008FC9B5
Part of subcall function 008FC998: _wcslen.LIBCMT ref: 008FC9F1
Part of subcall function 008FC998: _wcslen.LIBCMT ref: 008FCA68
Part of subcall function 008FC998: _wcslen.LIBCMT ref: 008FCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008FB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008FB772
RegDeleteValueW.ADVAPI32(?,?), ref: 008FB80A
RegCloseKey.ADVAPI32(?), ref: 008FB87E
RegCloseKey.ADVAPI32(?), ref: 008FB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 008FB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 008FB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 008FB922
FreeLibrary.KERNEL32(00000000), ref: 008FB983
RegCloseKey.ADVAPI32(00000000), ref: 008FB994

Strings

RegDeleteKeyExW, xrefs: 008FB8FE
advapi32.dll, xrefs: 008FB8ED

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: ae71f32d08e46b4752874473c9c0aca14ec43e925091b97ede8b51c200f88e14
Instruction ID: a43c992291bbe9a5e9c646090ab454f7ae597c5e6f4c781e86aa87c257811d0d
Opcode Fuzzy Hash: ae71f32d08e46b4752874473c9c0aca14ec43e925091b97ede8b51c200f88e14
Instruction Fuzzy Hash: BEC19C30208205AFD714DF28C495F2ABBE5FF85318F14855CF69A8B2A2CB71ED45CB92

Function 008F255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008F25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 008F25E8
CreateCompatibleDC.GDI32(?), ref: 008F25F4
SelectObject.GDI32(00000000,?), ref: 008F2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 008F266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 008F26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 008F26D0
SelectObject.GDI32(?,?), ref: 008F26D8
DeleteObject.GDI32(?), ref: 008F26E1
DeleteDC.GDI32(?), ref: 008F26E8
ReleaseDC.USER32(00000000,?), ref: 008F26F3

Strings

(, xrefs: 008F268D

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: b22bdb9d1a76b2e807bada8a9b49bbf162b95a77a28de524d9a8b7f84a3cd951
Instruction ID: 6446f719fd504e21d7e6f82496fcec41ecd77c53fff5e6cd2973663cff446388
Opcode Fuzzy Hash: b22bdb9d1a76b2e807bada8a9b49bbf162b95a77a28de524d9a8b7f84a3cd951
Instruction Fuzzy Hash: 6A61F2B5D04219EFCF04CFA8D884AAEBBB5FF48310F208529EA55E7250D774A951DFA0

Function 008ADA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 008ADAA1

Part of subcall function 008AD63C: _free.LIBCMT ref: 008AD659
Part of subcall function 008AD63C: _free.LIBCMT ref: 008AD66B
Part of subcall function 008AD63C: _free.LIBCMT ref: 008AD67D
Part of subcall function 008AD63C: _free.LIBCMT ref: 008AD68F
Part of subcall function 008AD63C: _free.LIBCMT ref: 008AD6A1
Part of subcall function 008AD63C: _free.LIBCMT ref: 008AD6B3
Part of subcall function 008AD63C: _free.LIBCMT ref: 008AD6C5
Part of subcall function 008AD63C: _free.LIBCMT ref: 008AD6D7
Part of subcall function 008AD63C: _free.LIBCMT ref: 008AD6E9
Part of subcall function 008AD63C: _free.LIBCMT ref: 008AD6FB
Part of subcall function 008AD63C: _free.LIBCMT ref: 008AD70D
Part of subcall function 008AD63C: _free.LIBCMT ref: 008AD71F
Part of subcall function 008AD63C: _free.LIBCMT ref: 008AD731

_free.LIBCMT ref: 008ADA96

Part of subcall function 008A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008AD7D1,00000000,00000000,00000000,00000000,?,008AD7F8,00000000,00000007,00000000,?,008ADBF5,00000000), ref: 008A29DE
Part of subcall function 008A29C8: GetLastError.KERNEL32(00000000,?,008AD7D1,00000000,00000000,00000000,00000000,?,008AD7F8,00000000,00000007,00000000,?,008ADBF5,00000000,00000000), ref: 008A29F0

_free.LIBCMT ref: 008ADAB8
_free.LIBCMT ref: 008ADACD
_free.LIBCMT ref: 008ADAD8
_free.LIBCMT ref: 008ADAFA
_free.LIBCMT ref: 008ADB0D
_free.LIBCMT ref: 008ADB1B
_free.LIBCMT ref: 008ADB26
_free.LIBCMT ref: 008ADB5E
_free.LIBCMT ref: 008ADB65
_free.LIBCMT ref: 008ADB82
_free.LIBCMT ref: 008ADB9A

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: c66779002743edda088f4ee6c70ca7b1605299b5c5abde62bc55d7907a66f930
Instruction ID: 60d63b7e9569ed2a10bb0115fe4a299bb5f5be75133ba7d1d5dfc175defe9305
Opcode Fuzzy Hash: c66779002743edda088f4ee6c70ca7b1605299b5c5abde62bc55d7907a66f930
Instruction Fuzzy Hash: 3A3159326047049FFB71AA3CE845B5B7BE8FF02720F154419E54AD7D91DA30AC418B22

Function 008D365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 008D369C
_wcslen.LIBCMT ref: 008D36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 008D3797
GetClassNameW.USER32(?,?,00000400), ref: 008D380C
GetDlgCtrlID.USER32(?), ref: 008D385D
GetWindowRect.USER32(?,?), ref: 008D3882
GetParent.USER32(?), ref: 008D38A0
ScreenToClient.USER32(00000000), ref: 008D38A7
GetClassNameW.USER32(?,?,00000100), ref: 008D3921
GetWindowTextW.USER32(?,?,00000400), ref: 008D395D

Strings

%s%u, xrefs: 008D3734

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: cf5efab856eaf07a76905a04efea1c8c550b72016369838a3cd91e8c2779c410
Instruction ID: 581956f62ebd944450536b2e45a2ba8b0a3a6dc84283f6090e0db4fb27c0fb8b
Opcode Fuzzy Hash: cf5efab856eaf07a76905a04efea1c8c550b72016369838a3cd91e8c2779c410
Instruction Fuzzy Hash: 2291C471204606BFD719DF64C895FAAF7A8FF44354F00872AF999D2290DB30EA45CB92

Function 008D4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 008D4994
GetWindowTextW.USER32(?,?,00000400), ref: 008D49DA
_wcslen.LIBCMT ref: 008D49EB
CharUpperBuffW.USER32(?,00000000), ref: 008D49F7
_wcsstr.LIBVCRUNTIME ref: 008D4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 008D4A64
GetWindowTextW.USER32(?,?,00000400), ref: 008D4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 008D4AE6
GetClassNameW.USER32(?,?,00000400), ref: 008D4B20
GetWindowRect.USER32(?,?), ref: 008D4B8B

Strings

ThumbnailClass, xrefs: 008D4A6F, 008D4AF1

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 48d623b37487d1cb4f7104214ced541c745e657e749e28116dd3de9fa16c5b1a
Instruction ID: d9c80e66d64a928a39b194ce3563141f7593f961e22c4b35ff7b96d2f4edaa7a
Opcode Fuzzy Hash: 48d623b37487d1cb4f7104214ced541c745e657e749e28116dd3de9fa16c5b1a
Instruction Fuzzy Hash: 6591DC710082069FDB04DF54C885FAA77A8FF94314F04966BFD85DA296DB30ED45CBA2

Function 00908D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00889BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00889BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00908D5A
GetFocus.USER32 ref: 00908D6A
GetDlgCtrlID.USER32(00000000), ref: 00908D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00908E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00908ECF
GetMenuItemCount.USER32(?), ref: 00908EEC
GetMenuItemID.USER32(?,00000000), ref: 00908EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00908F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00908F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00908FA1

Strings

0, xrefs: 00908E9F

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 84318032f4ca2e354b2b42320351e4822279aebb12ee692c8cc05f5d16fa833a
Instruction ID: c18fbcf1cfd81d3d6cbdc23ff4ba72ca8601f7e2baa7f4a2b1901d7dc3fba43e
Opcode Fuzzy Hash: 84318032f4ca2e354b2b42320351e4822279aebb12ee692c8cc05f5d16fa833a
Instruction Fuzzy Hash: DD819F71608301AFDB20DF24D884A6B7BE9FF88754F140A19FA85D72D1DB70D940DBA2

Function 008DBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00941990,000000FF,00000000,00000030), ref: 008DBFAC
SetMenuItemInfoW.USER32(00941990,00000004,00000000,00000030), ref: 008DBFE1
Sleep.KERNEL32(000001F4), ref: 008DBFF3
GetMenuItemCount.USER32(?), ref: 008DC039
GetMenuItemID.USER32(?,00000000), ref: 008DC056
GetMenuItemID.USER32(?,-00000001), ref: 008DC082
GetMenuItemID.USER32(?,?), ref: 008DC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 008DC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008DC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008DC145

Strings

0, xrefs: 008DBF3D

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 4433b21f011a89c2f12d9780562392b45b7a95f758067b4d08390624f598d597
Instruction ID: e467b7c00e5b468ba5f7755efd8bc5b0e54dfab5340658bc74412e0895e49a8f
Opcode Fuzzy Hash: 4433b21f011a89c2f12d9780562392b45b7a95f758067b4d08390624f598d597
Instruction Fuzzy Hash: 8D6158B091425AAFDF25CF68DC88AAEBBB8FB05344F104256E911E3391CB31AD45DB61

Function 008DDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 008DDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 008DDC46
_wcslen.LIBCMT ref: 008DDC50
_wcsstr.LIBVCRUNTIME ref: 008DDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 008DDCBC

Strings

StringFileInfo\, xrefs: 008DDC8F
04090000, xrefs: 008DDCF2
%u.%u.%u.%u, xrefs: 008DDD9A
DefaultLangCodepage, xrefs: 008DDD1F
\VarFileInfo\Translation, xrefs: 008DDCB4

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 0ca9587cf862da3161ff05d42210ac6f69f0ac533bdfa150e6d25e8b7df23748
Instruction ID: df9014c0289ebd93500176bd14f9d901e44166613e9716b8d90e131b742c15e5
Opcode Fuzzy Hash: 0ca9587cf862da3161ff05d42210ac6f69f0ac533bdfa150e6d25e8b7df23748
Instruction Fuzzy Hash: B04104729403047BEF10B7689C03EBF77ACFF45750F14416AF904E6282EA74990197A6

Function 008FCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 008FCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 008FCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 008FCD48

Part of subcall function 008FCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 008FCCAA
Part of subcall function 008FCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 008FCCBD
Part of subcall function 008FCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 008FCCCF
Part of subcall function 008FCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 008FCD05
Part of subcall function 008FCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 008FCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 008FCCF3

Strings

RegDeleteKeyExW, xrefs: 008FCCC9
advapi32.dll, xrefs: 008FCCB8

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: d7cad6d908753d111a869d4028451a0b8f2f57586ad33610c350693d1ed65140
Instruction ID: 55455638a3c663dce57adc92e91fbf1bc54dd0417f38cebb974fa7a5bd79861b
Opcode Fuzzy Hash: d7cad6d908753d111a869d4028451a0b8f2f57586ad33610c350693d1ed65140
Instruction Fuzzy Hash: E03161B190512DBFDB209B64DD88EFFBB7CEF46754F000165BA05E2140D7349B45EAA0

Function 008E3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 008E3D40
_wcslen.LIBCMT ref: 008E3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 008E3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 008E3DBE
RemoveDirectoryW.KERNEL32(?), ref: 008E3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 008E3E55
CloseHandle.KERNEL32(00000000), ref: 008E3E60
CloseHandle.KERNEL32(00000000), ref: 008E3E6B

Strings

\, xrefs: 008E3D77
:, xrefs: 008E3D82
\??\%s, xrefs: 008E3D5B

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 2e316f3aa28f224f2d45cb56b25d55cbdb1cee826183f2e6135d11e3104c5729
Instruction ID: f679865a113ccc163bacd07ebefeeaf35af452523cf56af9d2643be3d9b15449
Opcode Fuzzy Hash: 2e316f3aa28f224f2d45cb56b25d55cbdb1cee826183f2e6135d11e3104c5729
Instruction Fuzzy Hash: 3A31CFB2A14249ABDB219BA5DC48FEB37BCFF89700F5041A5F609D6160EB709B448B24

Function 008DE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 008DE6B4

Part of subcall function 0088E551: timeGetTime.WINMM(?,?,008DE6D4), ref: 0088E555

Sleep.KERNEL32(0000000A), ref: 008DE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 008DE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 008DE727
SetActiveWindow.USER32 ref: 008DE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 008DE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 008DE773
Sleep.KERNEL32(000000FA), ref: 008DE77E
IsWindow.USER32 ref: 008DE78A
EndDialog.USER32(00000000), ref: 008DE79B

Strings

BUTTON, xrefs: 008DE719

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 8f6c177f0185335a369b4b4f4a0c3dda405a6d2a70404176acfaa50c141d05c6
Instruction ID: e92a92f71e538ea0ed6c3407ad30b6d8dfad842e3714643b7ce85f4564b0afb2
Opcode Fuzzy Hash: 8f6c177f0185335a369b4b4f4a0c3dda405a6d2a70404176acfaa50c141d05c6
Instruction Fuzzy Hash: D32193B822C205AFEB106F65EC89E3A3B69F756349F500627F415C52A1DB72AC40EB25

Function 008DE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 008DEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 008DEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008DEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 008DEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 008DEAA7

Strings

play PlayMe, xrefs: 008DEAA2
close PlayMe, xrefs: 008DEA6E, 008DEA9B
play PlayMe wait, xrefs: 008DEA91
open , xrefs: 008DEA0C
alias PlayMe, xrefs: 008DEA36
status PlayMe mode, xrefs: 008DEA58

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: e28b6facb426d7bf40cc45009fabef1bb0440f9e345e830a60bb61a9bb186e25
Instruction ID: 5cb1dc2f2d530ac6dad9a530f92de6255e228d0a106f2fe0141ec94b7b4da4dc
Opcode Fuzzy Hash: e28b6facb426d7bf40cc45009fabef1bb0440f9e345e830a60bb61a9bb186e25
Instruction Fuzzy Hash: 24119131A9022979D720B7A6DC4AEFF6B7CFBD1B48F00452AB415E60D4EA704905C9B1

Function 008D9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 008DA012
SetKeyboardState.USER32(?), ref: 008DA07D
GetAsyncKeyState.USER32(000000A0), ref: 008DA09D
GetKeyState.USER32(000000A0), ref: 008DA0B4
GetAsyncKeyState.USER32(000000A1), ref: 008DA0E3
GetKeyState.USER32(000000A1), ref: 008DA0F4
GetAsyncKeyState.USER32(00000011), ref: 008DA120
GetKeyState.USER32(00000011), ref: 008DA12E
GetAsyncKeyState.USER32(00000012), ref: 008DA157
GetKeyState.USER32(00000012), ref: 008DA165
GetAsyncKeyState.USER32(0000005B), ref: 008DA18E
GetKeyState.USER32(0000005B), ref: 008DA19C

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 1252c8bf9145dd981e407c61fad07eb16ac227bb600e495c470d5546fbdeaa03
Instruction ID: 538d3e657fa35b4d99bade415fe284ea5316e34c1010e261a5a9b962b54d0752
Opcode Fuzzy Hash: 1252c8bf9145dd981e407c61fad07eb16ac227bb600e495c470d5546fbdeaa03
Instruction Fuzzy Hash: 9A51A82090478869FF39EB6488517AABFB5EF12340F18479BD5C2D73C2DA549A4CC763

Function 008D5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 008D5CE2
GetWindowRect.USER32(00000000,?), ref: 008D5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 008D5D59
GetDlgItem.USER32(?,00000002), ref: 008D5D69
GetWindowRect.USER32(00000000,?), ref: 008D5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 008D5DCF
GetDlgItem.USER32(?,000003E9), ref: 008D5DDD
GetWindowRect.USER32(00000000,?), ref: 008D5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 008D5E31
GetDlgItem.USER32(?,000003EA), ref: 008D5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 008D5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 008D5E67

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 03bc35d9a15aa9992ca83a3a10c048a81d4ba15a00fb3a2e1190b6d97244a846
Instruction ID: 30e4282c605775a7521cff5aa28a02d83457851d091dea047657603cf60d1aba
Opcode Fuzzy Hash: 03bc35d9a15aa9992ca83a3a10c048a81d4ba15a00fb3a2e1190b6d97244a846
Instruction Fuzzy Hash: 7A5101B1B10609AFDF18DF68DD89AAE7BB5FB48301F14822AF515E7290D7709E04CB60

Function 00888BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00888F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00888BE8,?,00000000,?,?,?,?,00888BBA,00000000,?), ref: 00888FC5

DestroyWindow.USER32(?), ref: 00888C81
KillTimer.USER32(00000000,?,?,?,?,00888BBA,00000000,?), ref: 00888D1B
DestroyAcceleratorTable.USER32(00000000), ref: 008C6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00888BBA,00000000,?), ref: 008C69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00888BBA,00000000,?), ref: 008C69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00888BBA,00000000), ref: 008C69D4
DeleteObject.GDI32(00000000), ref: 008C69E6

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 95f2fc0d78d7660beab3e047e7f559878808736ab481fd147585761ee09962d3
Instruction ID: 548041c3bbf3cd2d12e02e4dd98324ae374f3eea92f9799f826e67151484a927
Opcode Fuzzy Hash: 95f2fc0d78d7660beab3e047e7f559878808736ab481fd147585761ee09962d3
Instruction Fuzzy Hash: A161BB34016614DFDB25AF18DA48B297BF2FB41316F50452CE042DB5A4CB31ADD0EF91

Function 00889838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00889944: GetWindowLongW.USER32(?,000000EB), ref: 00889952

GetSysColor.USER32(0000000F), ref: 00889862

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 20b475c756be11754625c8e84fb60436058bbdc0fdd3f5f9784c4b805b9c0e42
Instruction ID: 5e73ad84f81beb0110779a5be6bcfb976610f3b7248a2b695e72e9a023f07be0
Opcode Fuzzy Hash: 20b475c756be11754625c8e84fb60436058bbdc0fdd3f5f9784c4b805b9c0e42
Instruction Fuzzy Hash: E2418071108645AFDB206F389C88BB93BA5FB06335F184669F9E2C71E1D7319C42EB11

Function 008D96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,008BF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 008D9717
LoadStringW.USER32(00000000,?,008BF7F8,00000001), ref: 008D9720

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,008BF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 008D9742
LoadStringW.USER32(00000000,?,008BF7F8,00000001), ref: 008D9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 008D9866

Strings

Line %d (File "%s"):, xrefs: 008D978F
Line %d:, xrefs: 008D97A0
Error: , xrefs: 008D981D
%s (%d) : ==> %s: %s %s, xrefs: 008D984A
^ ERROR, xrefs: 008D97FB

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: dda5006f7fdc4214530c7d81fd7f16fb85de6ae6ff1ed4fe6be72a9a0138157c
Instruction ID: c66b30a84d9c82a0a05369ac1a380007771ababe3b7db2b34d0314bc72e09eec
Opcode Fuzzy Hash: dda5006f7fdc4214530c7d81fd7f16fb85de6ae6ff1ed4fe6be72a9a0138157c
Instruction Fuzzy Hash: B6416E72800209AACF14EBE4DD86DEE7778FF55340F504125F209B2196EA35AF48DB62

Function 008D06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00876B57: _wcslen.LIBCMT ref: 00876B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008D07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008D07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008D07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 008D0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 008D082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 008D0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 008D083C

Strings

SOFTWARE\Classes\, xrefs: 008D070E
\IPC$, xrefs: 008D0784
\CLSID, xrefs: 008D0724

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: d0f9a6105066a3369e833babc1e9638470db5649c6a5425b2e3be8f3b8758425
Instruction ID: 0fcbbdd00910bce316102dfc6e9ccf7fccff20718687c3dc4c1d7c1e29b795e6
Opcode Fuzzy Hash: d0f9a6105066a3369e833babc1e9638470db5649c6a5425b2e3be8f3b8758425
Instruction Fuzzy Hash: 44410772C10229AADF15EBA4DC859EDB778FF48350F458129E905A72A1EB309E04DF91

Function 00903F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0090403B
CreateCompatibleDC.GDI32(00000000), ref: 00904042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00904055
SelectObject.GDI32(00000000,00000000), ref: 0090405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00904068
DeleteDC.GDI32(00000000), ref: 00904072
GetWindowLongW.USER32(?,000000EC), ref: 0090407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00904092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0090409E

Strings

static, xrefs: 00903FD3

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 31ee9d399b6527ee8cf5c8a7cf2d2694bfb7b9905cedfba39c3bb10287f3e7a8
Instruction ID: 18798cb985117f6394aad805a5ff020ecdf04e74d425af85b3c5d2795b1cadb8
Opcode Fuzzy Hash: 31ee9d399b6527ee8cf5c8a7cf2d2694bfb7b9905cedfba39c3bb10287f3e7a8
Instruction Fuzzy Hash: E73137B2515219AFDF229FA4DC09FDA3BA8EF0A724F110311FA58A61E0C775D861EB50

Function 008F3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008F3C5C
CoInitialize.OLE32(00000000), ref: 008F3C8A
CoUninitialize.OLE32 ref: 008F3C94
_wcslen.LIBCMT ref: 008F3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 008F3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 008F3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 008F3F0E
CoGetObject.OLE32(?,00000000,0090FB98,?), ref: 008F3F2D
SetErrorMode.KERNEL32(00000000), ref: 008F3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 008F3FC4
VariantClear.OLEAUT32(?), ref: 008F3FD8

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: cd0669717cfdff206a0b38a33776ed3ae64bc53c12ab4a3e250d7fa47c4b5332
Instruction ID: bd019c365b10fad14f5771c907b43f36bef19acd006d262b42fe3ffbee3bef96
Opcode Fuzzy Hash: cd0669717cfdff206a0b38a33776ed3ae64bc53c12ab4a3e250d7fa47c4b5332
Instruction Fuzzy Hash: F0C10471608209AFD700DF68C88492BB7E9FF89748F14491DFA8ADB251DB31EE45CB52

Function 008E7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 008E7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 008E7B8F
SHGetDesktopFolder.SHELL32(?), ref: 008E7BA3
CoCreateInstance.OLE32(0090FD08,00000000,00000001,00936E6C,?), ref: 008E7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 008E7C74
CoTaskMemFree.OLE32(?,?), ref: 008E7CCC
SHBrowseForFolderW.SHELL32(?), ref: 008E7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 008E7D7A
CoTaskMemFree.OLE32(00000000), ref: 008E7D81
CoTaskMemFree.OLE32(00000000), ref: 008E7DD6
CoUninitialize.OLE32 ref: 008E7DDC

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 1d725e630314cc8314677c4f73850edf6ed06c5a8b77d2e7801b1553d546e71c
Instruction ID: 7cfea90eb601c990c58ce9d7a508bfea3f2f6621d07242d0f873ee4a0bff4539
Opcode Fuzzy Hash: 1d725e630314cc8314677c4f73850edf6ed06c5a8b77d2e7801b1553d546e71c
Instruction Fuzzy Hash: B5C12A75A04149AFCB14DFA9C884DAEBBF9FF49314B148598E819DB361D730EE41CB90

Function 0090541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00905504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00905515
CharNextW.USER32(00000158), ref: 00905544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00905585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0090559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009055AC

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: a73aef8cbdfe1306b204880e260c10f2712581f75ca5e0ec832d7e97e090fe0a
Instruction ID: 520440cfff43d9f7208a0370509d6931e7da326aa8d038e09ad024cbf573016f
Opcode Fuzzy Hash: a73aef8cbdfe1306b204880e260c10f2712581f75ca5e0ec832d7e97e090fe0a
Instruction Fuzzy Hash: DC617775904609AFDF208F94CC84EFF7BB9EB0A320F118545F925AA2E0D7749A81DF60

Function 008CFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 008CFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 008CFB08
VariantInit.OLEAUT32(?), ref: 008CFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 008CFB3A
VariantCopy.OLEAUT32(?,?), ref: 008CFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 008CFBA1
VariantClear.OLEAUT32(?), ref: 008CFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 008CFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008CFBCC
VariantClear.OLEAUT32(?), ref: 008CFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008CFBE9

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 186cd0225d23373cf30bce6bfa206118b069fbc8ba2c00bc68b63c87abb9894b
Instruction ID: 3130a4e80b77c7ec84feae244a7a24730355ecd404f994dff52c32d5413e0a7c
Opcode Fuzzy Hash: 186cd0225d23373cf30bce6bfa206118b069fbc8ba2c00bc68b63c87abb9894b
Instruction Fuzzy Hash: 18413F75A04219AFDB00DF68C854EADBBBAFF48354F008169E945E7262CB30ED45DF91

Function 008D9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 008D9CA1
GetAsyncKeyState.USER32(000000A0), ref: 008D9D22
GetKeyState.USER32(000000A0), ref: 008D9D3D
GetAsyncKeyState.USER32(000000A1), ref: 008D9D57
GetKeyState.USER32(000000A1), ref: 008D9D6C
GetAsyncKeyState.USER32(00000011), ref: 008D9D84
GetKeyState.USER32(00000011), ref: 008D9D96
GetAsyncKeyState.USER32(00000012), ref: 008D9DAE
GetKeyState.USER32(00000012), ref: 008D9DC0
GetAsyncKeyState.USER32(0000005B), ref: 008D9DD8
GetKeyState.USER32(0000005B), ref: 008D9DEA

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: afb468424e2b183a68667429c151583e9102943491c0e1abdc4706b75bb240ab
Instruction ID: c695c9152d8408cf7c6910aadab5874fa7a8ce0c1b2db673a0642af7f609ad43
Opcode Fuzzy Hash: afb468424e2b183a68667429c151583e9102943491c0e1abdc4706b75bb240ab
Instruction Fuzzy Hash: F341D5745087CA6DFF30976488043B5BFA1FB11344F04825BDAC6D67C2EBA599C8C7A2

Function 008F055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 008F05BC
inet_addr.WSOCK32(?), ref: 008F061C
gethostbyname.WSOCK32(?), ref: 008F0628
IcmpCreateFile.IPHLPAPI ref: 008F0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 008F06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 008F06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 008F07B9
WSACleanup.WSOCK32 ref: 008F07BF

Strings

Ping, xrefs: 008F0676

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: fd019fa54e3c3c722db6078ce2da5b06d79fde6003b775f594454a35d17f8aa9
Instruction ID: a539017b0e17980061c1ec8a32e6ad7e4d91d521d834ee923d85f900a8d95fd3
Opcode Fuzzy Hash: fd019fa54e3c3c722db6078ce2da5b06d79fde6003b775f594454a35d17f8aa9
Instruction Fuzzy Hash: 24916D755082059FD720DF29C488B2ABBE0FF44318F1485A9E569DB6A2C771ED41CF92

Function 008F8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 008F8CF3

Part of subcall function 008D8E54: _wcslen.LIBCMT ref: 008D8E77

_wcslen.LIBCMT ref: 008F8D4E
_wcslen.LIBCMT ref: 008F8D9C
_wcslen.LIBCMT ref: 008F8DDC
_wcslen.LIBCMT ref: 008F8E6E

Strings

winapi, xrefs: 008F8D96, 008F8D9B
none, xrefs: 008F8E65, 008F8E6A
cdecl, xrefs: 008F8D48, 008F8D4D
stdcall, xrefs: 008F8DD6, 008F8DDB

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 1ae471b2c8ca0760123e0d3b03bd666355cb8a167aaac5f839cc49bd7c6102dd
Instruction ID: 877badc82c51e876bc4d015c3751a4b52e1ed8786e9d874d614a0f729c1fbbae
Opcode Fuzzy Hash: 1ae471b2c8ca0760123e0d3b03bd666355cb8a167aaac5f839cc49bd7c6102dd
Instruction Fuzzy Hash: 4251AF32A0051ADBCF24EF7CC9418BEB7A5FF64324B244229E666E7284DB30DD40CB91

Function 008F372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 008F3774
CoUninitialize.OLE32 ref: 008F377F
CoCreateInstance.OLE32(?,00000000,00000017,0090FB78,?), ref: 008F37D9
IIDFromString.OLE32(?,?), ref: 008F384C
VariantInit.OLEAUT32(?), ref: 008F38E4
VariantClear.OLEAUT32(?), ref: 008F3936

Strings

Failed to create object, xrefs: 008F37E4, 008F389A
Invalid parameter, xrefs: 008F3865
NULL Pointer assignment, xrefs: 008F381E

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 0d5cc0ff94c9e3185e16128f08efa95fffa026619c007b237a805566efe6290e
Instruction ID: 4524fa135fd48bd735ae401336f930caaf717d6b9e2978fcc2ebb3bd9b302c5c
Opcode Fuzzy Hash: 0d5cc0ff94c9e3185e16128f08efa95fffa026619c007b237a805566efe6290e
Instruction Fuzzy Hash: 9F6190B0608305AFD310EF64C889B6ABBE4FF49754F104919FA85DB291D774EE48CB92

Function 008E3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 008E33CF

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 008E33F0

Strings

Incorrect parameters to object property !, xrefs: 008E34AB
Line %d (File "%s"):, xrefs: 008E3443, 008E345C
"%s" (%d) : ==> %s:%s%s, xrefs: 008E3504
Error: , xrefs: 008E34D1
^ ERROR , xrefs: 008E349E
"%s" (%d) : ==> %s:, xrefs: 008E3522

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 459dcbd1d04e6cc78832a2da8909297881e6d668e60edbfc9e698809841732fb
Instruction ID: fa3eaf67dffcda17558dcaa70d69c90e63ef12788251323b9857540a14697eb4
Opcode Fuzzy Hash: 459dcbd1d04e6cc78832a2da8909297881e6d668e60edbfc9e698809841732fb
Instruction Fuzzy Hash: 66519D72800209AADF15EBA4CD46EEEB778FF15344F108165F509B21A2EB316F58DF62

Function 008DB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008DB5FC
_wcslen.LIBCMT ref: 008DB608
_wcslen.LIBCMT ref: 008DB64D
_wcslen.LIBCMT ref: 008DB68C
_wcslen.LIBCMT ref: 008DB6C7

Strings

REMOVE, xrefs: 008DB602, 008DB607
KEYS, xrefs: 008DB647, 008DB64C
APPEND, xrefs: 008DB6C1, 008DB6C6
EXISTS, xrefs: 008DB686, 008DB68B

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 6933b2448a5e312953cfbc5ec57cca42f352c478acad791e27699cdbbcb8bb77
Instruction ID: 35e7ec3f0459c7269a71991f8e8148820f0e76705a0c591dc5f71a0d7160290a
Opcode Fuzzy Hash: 6933b2448a5e312953cfbc5ec57cca42f352c478acad791e27699cdbbcb8bb77
Instruction Fuzzy Hash: BA41B632A00126DBCB206F7D98905BE7BA5FB75768B26432AE425D7384E731CD81C790

Function 008E5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008E53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 008E5416
GetLastError.KERNEL32 ref: 008E5420
SetErrorMode.KERNEL32(00000000,READY), ref: 008E54A7

Strings

INVALID, xrefs: 008E5459
NOTREADY, xrefs: 008E544B
READONLY, xrefs: 008E5452
READY, xrefs: 008E5460, 008E5468
UNKNOWN, xrefs: 008E5444

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 7a21a72e8deda4fa0f2ab8a37bf212423e37cd596de7dfc5f423709d18748a22
Instruction ID: 80a7c197fe1655cdfbbb1b894d96e6cda38f2495893848e6e4cff540ec4e410b
Opcode Fuzzy Hash: 7a21a72e8deda4fa0f2ab8a37bf212423e37cd596de7dfc5f423709d18748a22
Instruction Fuzzy Hash: 6A31D0B5A002489FC710DF69C884AAABBF4FF4630DF148065E405CB2D2D770DD86CB91

Function 00903C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00903C79
SetMenu.USER32(?,00000000), ref: 00903C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00903D10
IsMenu.USER32(?), ref: 00903D24
CreatePopupMenu.USER32 ref: 00903D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00903D5B
DrawMenuBar.USER32 ref: 00903D63

Strings

F, xrefs: 00903D4E
0, xrefs: 00903C54

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: e510db58bb8cde4498a3972c72809ee71df5a4a8667550ae14fa443894d07ca7
Instruction ID: b29622f4375bdb8e645f997812982482bd2d03be564afa38e0f1c6615707db24
Opcode Fuzzy Hash: e510db58bb8cde4498a3972c72809ee71df5a4a8667550ae14fa443894d07ca7
Instruction Fuzzy Hash: 0F417CB9A15209EFDB14CF64E844EAA7BB9FF49350F144129F946973A0D730AA10EF90

Function 008D1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

Part of subcall function 008D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008D3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 008D1F64
GetDlgCtrlID.USER32 ref: 008D1F6F
GetParent.USER32 ref: 008D1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 008D1F8E
GetDlgCtrlID.USER32(?), ref: 008D1F97
GetParent.USER32(?), ref: 008D1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 008D1FAE

Strings

ComboBox, xrefs: 008D1EEC
ListBox, xrefs: 008D1F21

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 27af7f1ebde9656b1b9e1cc2e93327e7b94fbb91a9874c7d5d06d5dd3e64dfd8
Instruction ID: ee283b378b279a1a472da1254587d8db84890266680672488b76d38aa7df8981
Opcode Fuzzy Hash: 27af7f1ebde9656b1b9e1cc2e93327e7b94fbb91a9874c7d5d06d5dd3e64dfd8
Instruction Fuzzy Hash: E021C2B1A00214BFCF15AFA4DC85DEEBBB8FF15314F004216F965A7291CB359908DB61

Function 008D1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

Part of subcall function 008D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008D3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 008D2043
GetDlgCtrlID.USER32 ref: 008D204E
GetParent.USER32 ref: 008D206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 008D206D
GetDlgCtrlID.USER32(?), ref: 008D2076
GetParent.USER32(?), ref: 008D208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 008D208D

Strings

ComboBox, xrefs: 008D1FCD
ListBox, xrefs: 008D2002

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 8e95b31f4c7264554ba6ad20630e605fb3e010f48ecbd94833b12c9e8cd65862
Instruction ID: aec7d97da28aaef3bfd95b2ca71b22aa0691dc861d6076abbaffdb6d41b60d32
Opcode Fuzzy Hash: 8e95b31f4c7264554ba6ad20630e605fb3e010f48ecbd94833b12c9e8cd65862
Instruction Fuzzy Hash: 6621D4B1A00218BFCF10AFA4CC85EEEBBB8FF19304F004116F955E72A1CA758914DB61

Function 00903A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00903A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00903AA0
GetWindowLongW.USER32(?,000000F0), ref: 00903AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00903AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00903B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00903BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00903BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00903BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00903BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00903C13

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 8fd71ee559eb3e9cdf850f209ec12b00eaeea338ffdbd09cd2f2223fe34c4413
Instruction ID: 02883d6345dd2fa6c5c287bbf85957caaae1f0172c00d416346fe925ad6a62ea
Opcode Fuzzy Hash: 8fd71ee559eb3e9cdf850f209ec12b00eaeea338ffdbd09cd2f2223fe34c4413
Instruction Fuzzy Hash: 08617875A00218AFDB10DFA8CC81EEE77BCEB49714F104199FA15E72E1D774AA81DB50

Function 008A2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008A2C94

Part of subcall function 008A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008AD7D1,00000000,00000000,00000000,00000000,?,008AD7F8,00000000,00000007,00000000,?,008ADBF5,00000000), ref: 008A29DE
Part of subcall function 008A29C8: GetLastError.KERNEL32(00000000,?,008AD7D1,00000000,00000000,00000000,00000000,?,008AD7F8,00000000,00000007,00000000,?,008ADBF5,00000000,00000000), ref: 008A29F0

_free.LIBCMT ref: 008A2CA0
_free.LIBCMT ref: 008A2CAB
_free.LIBCMT ref: 008A2CB6
_free.LIBCMT ref: 008A2CC1
_free.LIBCMT ref: 008A2CCC
_free.LIBCMT ref: 008A2CD7
_free.LIBCMT ref: 008A2CE2
_free.LIBCMT ref: 008A2CED
_free.LIBCMT ref: 008A2CFB

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f2ac166815e1b5bea8c86a7748ef7fe99451a43c801e0b2abbb00d26b32c1ad3
Instruction ID: 4d51c59b50e127baee464e20b05670ec093c59c8904e6c088f2176b277a5d62b
Opcode Fuzzy Hash: f2ac166815e1b5bea8c86a7748ef7fe99451a43c801e0b2abbb00d26b32c1ad3
Instruction Fuzzy Hash: 6611C676100108AFDB52EF5CD842DDE3FA5FF06750F4544A0FA489BA22D631EA509B92

Function 008E7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008E7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 008E7FC1
GetFileAttributesW.KERNEL32(?), ref: 008E7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 008E8005
SetCurrentDirectoryW.KERNEL32(?), ref: 008E8017
SetCurrentDirectoryW.KERNEL32(?), ref: 008E8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008E80B0

Strings

*.*, xrefs: 008E8066

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: f46a27be73811c0725dfcb90bf9cb4f97f0f1aef6169359dda01b247c7e10486
Instruction ID: ee17e0257417e8027f322fd99b79c49aa65ed43018b7a4d88ae7c37f73360ac1
Opcode Fuzzy Hash: f46a27be73811c0725dfcb90bf9cb4f97f0f1aef6169359dda01b247c7e10486
Instruction Fuzzy Hash: 5A81B2715082869BCB24EF1AC8449AEB3E8FF86714F144C6EF889D7250EB34DD45CB52

Function 00875BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00875C7A

Part of subcall function 00875D0A: GetClientRect.USER32(?,?), ref: 00875D30
Part of subcall function 00875D0A: GetWindowRect.USER32(?,?), ref: 00875D71
Part of subcall function 00875D0A: ScreenToClient.USER32(?,?), ref: 00875D99

GetDC.USER32 ref: 008B46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 008B4708
SelectObject.GDI32(00000000,00000000), ref: 008B4716
SelectObject.GDI32(00000000,00000000), ref: 008B472B
ReleaseDC.USER32(?,00000000), ref: 008B4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008B47C4

Strings

U, xrefs: 008B4693

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 1e57796255797a8db7b0129c63870a964ab218657cba0f9fcbd9b6368a27d5a7
Instruction ID: e9fd88642468e2dda5fe03e1b4e11dab4806293620ef5c3356a603764f0dec51
Opcode Fuzzy Hash: 1e57796255797a8db7b0129c63870a964ab218657cba0f9fcbd9b6368a27d5a7
Instruction Fuzzy Hash: 4071F134404209DFDF218F64C986AFA3BB5FF8A314F245269E955DA2ABCB31D881DF50

Function 008E359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 008E35E4

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

LoadStringW.USER32(00942390,?,00000FFF,?), ref: 008E360A

Strings

Line %d (File "%s"):, xrefs: 008E366B
"%s" (%d) : ==> %s:%s%s, xrefs: 008E3724
Error: , xrefs: 008E36EF
"%s" (%d) : ==> %s:, xrefs: 008E3742
^ ERROR, xrefs: 008E36C9

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 23b5dcb1c389a8664c75ce9a863ee58606e7561b7b1397072ad86470988abc2e
Instruction ID: 67c35a9da3d87b799bb2dd9c895a0b0b5f9085b7690ee2bc938845404083fb64
Opcode Fuzzy Hash: 23b5dcb1c389a8664c75ce9a863ee58606e7561b7b1397072ad86470988abc2e
Instruction Fuzzy Hash: 84518F71800249BACF15EBA4DC46EEEBB78FF15304F048125F109B21A5EB309B98DF62

Function 00908B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00889BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00889BB2

Part of subcall function 0088912D: GetCursorPos.USER32(?), ref: 00889141
Part of subcall function 0088912D: ScreenToClient.USER32(00000000,?), ref: 0088915E
Part of subcall function 0088912D: GetAsyncKeyState.USER32(00000001), ref: 00889183
Part of subcall function 0088912D: GetAsyncKeyState.USER32(00000002), ref: 0088919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00908B6B
ImageList_EndDrag.COMCTL32 ref: 00908B71
ReleaseCapture.USER32 ref: 00908B77
SetWindowTextW.USER32(?,00000000), ref: 00908C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00908C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00908CFF

Strings

@GUI_DRAGFILE, xrefs: 00908C9A
@GUI_DROPID, xrefs: 00908C51

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: a3e45c65a4f5cc989166b6a7e18fcaa16baad9a0ee54e2b0889e91e9fdf2c70e
Instruction ID: c53b529f0d0694e8b66c538917624b9bf9464c700ff27ceb21711f73c764cc7c
Opcode Fuzzy Hash: a3e45c65a4f5cc989166b6a7e18fcaa16baad9a0ee54e2b0889e91e9fdf2c70e
Instruction Fuzzy Hash: D8519D74208310AFE714EF24DC56FAA77E4FB88714F000A2DF996A72E1CB719944DB62

Function 008EC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 008EC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008EC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 008EC2CA
GetLastError.KERNEL32 ref: 008EC322
SetEvent.KERNEL32(?), ref: 008EC336
InternetCloseHandle.WININET(00000000), ref: 008EC341

Strings

, xrefs: 008EC2BB

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: ba394aed78d07368a008f573c6ca53a32c6e55e2f83ed592e43389657e17f6de
Instruction ID: 9a4ef7f8cdb5c5d6672e8674bb09b755507e59182e7a6b51eb37c92e892d20d2
Opcode Fuzzy Hash: ba394aed78d07368a008f573c6ca53a32c6e55e2f83ed592e43389657e17f6de
Instruction Fuzzy Hash: DE317FB1904648AFD7219FAA8C88AAB7BFCFB4A744F14851DF446D2200DB30DD069B61

Function 008D989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,008B3AAF,?,?,Bad directive syntax error,0090CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 008D98BC
LoadStringW.USER32(00000000,?,008B3AAF,?), ref: 008D98C3

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 008D9987

Strings

., xrefs: 008D996D
Line %d (File "%s"):, xrefs: 008D992D
Line %d:, xrefs: 008D9912
Error: , xrefs: 008D9955
%s (%d) : ==> %s.: %s %s, xrefs: 008D98F1

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 21be63b5072ac8f36e5a560373e2458638af87d768c3fe890ecf6ec9b8ab5875
Instruction ID: 0ddd6d2608400c37ff3e53d3ecb0f7891190bdc66e0aab976ff96af5edb24a79
Opcode Fuzzy Hash: 21be63b5072ac8f36e5a560373e2458638af87d768c3fe890ecf6ec9b8ab5875
Instruction Fuzzy Hash: C0216031C0421ABBCF15AF94CC1AEEE7779FF18304F048466F519A61A2EB719618DB52

Function 008D209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 008D20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 008D20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 008D214D

Strings

details, xrefs: 008D20FB
SHELLDLL_DefView, xrefs: 008D20CC
smallicons, xrefs: 008D2115
list, xrefs: 008D212F
largeicons, xrefs: 008D20E1

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 63b30e64875a45dfb611aa9725cfc42776ebb63ba1efe8231c4be25c0dccf4de
Instruction ID: 0725aa7c8710cbb21ff42f0dd8ec3167b583ca265004a1cbb0e855ce4cff4623
Opcode Fuzzy Hash: 63b30e64875a45dfb611aa9725cfc42776ebb63ba1efe8231c4be25c0dccf4de
Instruction Fuzzy Hash: 8A110676688717B9FE117224DC07DA677ACEF28728F214317FB04E51E1FE61B8025A14

Function 008A8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe6fe087edfcb4177dde1b17ad0f3c5162f70081ce81c99a384acc3a22678e2
Instruction ID: 096bb3bd5c01b18b88f7e31a737fdc7dcaf09a23fe2cd5f699c54b807dee19da
Opcode Fuzzy Hash: abe6fe087edfcb4177dde1b17ad0f3c5162f70081ce81c99a384acc3a22678e2
Instruction Fuzzy Hash: 7FC1C174908249DFEF11AFACC841BADBFB4FF0A310F184199E954E7692CB749941CB61

Function 008ACE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 008ACEB7
_free.LIBCMT ref: 008ACF22
_free.LIBCMT ref: 008ACF48
_free.LIBCMT ref: 008ACF71
_free.LIBCMT ref: 008ACFA9
_free.LIBCMT ref: 008ACFDA
_free.LIBCMT ref: 008AD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 008AD09C
_free.LIBCMT ref: 008AD0B5

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 7a2c4cb8d19c4728052e71f38b2642f6594a9e9b1983165dd83ba3f5f649961f
Instruction ID: 8bb152a05d000a4d265680dc445d91a82be560ce9b95c3c5f32b405486be5d09
Opcode Fuzzy Hash: 7a2c4cb8d19c4728052e71f38b2642f6594a9e9b1983165dd83ba3f5f649961f
Instruction Fuzzy Hash: C2614772908304AFFF21AFBC9881B6A7BA5FF03320F04416DFA55D7A82DA719D018752

Function 009050D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00905186
ShowWindow.USER32(?,00000000), ref: 009051C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 009051CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 009051D1

Part of subcall function 00906FBA: DeleteObject.GDI32(00000000), ref: 00906FE6

GetWindowLongW.USER32(?,000000F0), ref: 0090520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0090521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0090524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00905287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00905296

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: ade5a78e8100d3d42d4f094e3dab38dacd946b52854cae73af1d3abf3bc82d75
Instruction ID: 42f21d8540a8a49edda15eb1570b5fce20ae7728ada57116422b33cafb06eb32
Opcode Fuzzy Hash: ade5a78e8100d3d42d4f094e3dab38dacd946b52854cae73af1d3abf3bc82d75
Instruction Fuzzy Hash: 1A518C70A58A09FEEF20AF28CC4AB9A3BA9EF05321F154511F625D62E0C775A990DF41

Function 00888B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 008C6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 008C68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008C68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 008C68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008C68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00888874,00000000,00000000,00000000,000000FF,00000000), ref: 008C6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 008C691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00888874,00000000,00000000,00000000,000000FF,00000000), ref: 008C692D

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 152fdd5a448fb3d16ca92197caf14e6d6faff671cb9cd6e15a16e07ca3dfc264
Instruction ID: 4ee983f57c1ad6e0baac3c34f7aa129f384067dc3f4f95d109905d3b8a6a9a3d
Opcode Fuzzy Hash: 152fdd5a448fb3d16ca92197caf14e6d6faff671cb9cd6e15a16e07ca3dfc264
Instruction Fuzzy Hash: 32516C74610209EFDB24DF24CC95FAA7BB5FB88760F104628F956D72A0EB70E990DB50

Function 008EC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008EC182
GetLastError.KERNEL32 ref: 008EC195
SetEvent.KERNEL32(?), ref: 008EC1A9

Part of subcall function 008EC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 008EC272
Part of subcall function 008EC253: GetLastError.KERNEL32 ref: 008EC322
Part of subcall function 008EC253: SetEvent.KERNEL32(?), ref: 008EC336
Part of subcall function 008EC253: InternetCloseHandle.WININET(00000000), ref: 008EC341

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 0bbcf8fcae103d9683ff6360b8ab2e29df19efdff36ccd05c11ba26770a09e1d
Instruction ID: 0a8d05f3d1bede77adf862a87ef9efb8e54ce3dd851ce550ffd6a59fd4223357
Opcode Fuzzy Hash: 0bbcf8fcae103d9683ff6360b8ab2e29df19efdff36ccd05c11ba26770a09e1d
Instruction Fuzzy Hash: 6D3190B1A04785AFDB219FAADC44A67BBF9FF1A300B00451DFA56C2610D730E816EB60

Function 008D25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 008D3A57
Part of subcall function 008D3A3D: GetCurrentThreadId.KERNEL32 ref: 008D3A5E
Part of subcall function 008D3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008D25B3), ref: 008D3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 008D25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008D25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 008D25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 008D25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 008D2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 008D2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 008D260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 008D2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 008D2627

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 801776dc4e8ffee3cf21ac46cbf0806e9a0d3a518f7b02490f7886c32d83eabf
Instruction ID: 8b85dc0e28a778fafc6686a5ef71fd959d386a3f6fe46276999b4a57049a37bb
Opcode Fuzzy Hash: 801776dc4e8ffee3cf21ac46cbf0806e9a0d3a518f7b02490f7886c32d83eabf
Instruction Fuzzy Hash: CE01D870398624BBFB2067689C8AF593F69EB5EB11F100202F314EF1D1C9E254449AAA

Function 008D1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,008D1449,?,?,00000000), ref: 008D180C
HeapAlloc.KERNEL32(00000000,?,008D1449,?,?,00000000), ref: 008D1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,008D1449,?,?,00000000), ref: 008D1828
GetCurrentProcess.KERNEL32(?,00000000,?,008D1449,?,?,00000000), ref: 008D1830
DuplicateHandle.KERNEL32(00000000,?,008D1449,?,?,00000000), ref: 008D1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,008D1449,?,?,00000000), ref: 008D1843
GetCurrentProcess.KERNEL32(008D1449,00000000,?,008D1449,?,?,00000000), ref: 008D184B
DuplicateHandle.KERNEL32(00000000,?,008D1449,?,?,00000000), ref: 008D184E
CreateThread.KERNEL32(00000000,00000000,008D1874,00000000,00000000,00000000), ref: 008D1868

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 165c94967f899776036b324b1a596fdc88f5ea8f5b5ac631af763cb61b441fdc
Instruction ID: 952caf4af0820f1132cf14d0d51774b5e6e66f68e1e21eb8b14bc4a8f033d6de
Opcode Fuzzy Hash: 165c94967f899776036b324b1a596fdc88f5ea8f5b5ac631af763cb61b441fdc
Instruction Fuzzy Hash: AA01BFB5254304BFE750AB65DC4DF573B6CEB89B11F004511FA05DB291C6749800DB20

Function 008FA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 008DD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 008DD501
Part of subcall function 008DD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 008DD50F
Part of subcall function 008DD4DC: CloseHandle.KERNELBASE(00000000), ref: 008DD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 008FA16D
GetLastError.KERNEL32 ref: 008FA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 008FA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 008FA268
GetLastError.KERNEL32(00000000), ref: 008FA273
CloseHandle.KERNEL32(00000000), ref: 008FA2C4

Strings

SeDebugPrivilege, xrefs: 008FA18F

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 416b50befbbb7fc1bc8a1ff2a69e78d63e4205fa9e85c2f610ad2d4cab8526bf
Instruction ID: 049b2211ef689023bd1931c4108fa14130014aeff60830d447042ee27fde8f96
Opcode Fuzzy Hash: 416b50befbbb7fc1bc8a1ff2a69e78d63e4205fa9e85c2f610ad2d4cab8526bf
Instruction Fuzzy Hash: 7A618DB02082429FD714DF28C494F29BBA5FF44328F14848CE56A8B7A3C772ED45CB92

Function 00903886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00903925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0090393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00903954
_wcslen.LIBCMT ref: 00903999
SendMessageW.USER32(?,00001057,00000000,?), ref: 009039C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 009039F4

Strings

SysListView32, xrefs: 009038F7

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 139b971d0cf43df90aa49c4f2c2982d6d86cb7d6d28c7076858e3aac67898827
Instruction ID: 9de36692737457f801fb8dd6c8aed0f8a776c5b791ca8a2807f2b7cff4c61e86
Opcode Fuzzy Hash: 139b971d0cf43df90aa49c4f2c2982d6d86cb7d6d28c7076858e3aac67898827
Instruction Fuzzy Hash: 25419E71A00219AFEF219F64CC49BEA7BADFF48354F104526F958E72C1D7719A80CB90

Function 008DBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008DBCFD
IsMenu.USER32(00000000), ref: 008DBD1D
CreatePopupMenu.USER32 ref: 008DBD53
GetMenuItemCount.USER32(01305988), ref: 008DBDA4
InsertMenuItemW.USER32(01305988,?,00000001,00000030), ref: 008DBDCC

Strings

2, xrefs: 008DBD37
0, xrefs: 008DBCA8

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 384834d11b00140655b5b957a36d34f0825cb8f70ae26b4de99f2c437c9911a2
Instruction ID: 1a43bfde836344b5f0299066f98d887cc8b1ffc67ccd00bcdd05813c37e54b9d
Opcode Fuzzy Hash: 384834d11b00140655b5b957a36d34f0825cb8f70ae26b4de99f2c437c9911a2
Instruction Fuzzy Hash: 85519C70A04209EBDB20DFA8D884BAEBBF6FF49324F15435AE441D7390DB709940CB62

Function 008DC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 008DC913

Strings

question, xrefs: 008DC8CC
stop, xrefs: 008DC8E4
info, xrefs: 008DC8B4
warning, xrefs: 008DC8FC
blank, xrefs: 008DC895

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: e777d0a6d4cbb265ff975d320cfd282663d95043a418651bf2a5c558e72ac7e1
Instruction ID: 75fb8375dbfc67c11610ed87a68d075e4141fa45ea3c9af4e719dd9fbc9efb3b
Opcode Fuzzy Hash: e777d0a6d4cbb265ff975d320cfd282663d95043a418651bf2a5c558e72ac7e1
Instruction Fuzzy Hash: 03110D3168930BBAEB016B54DC93CAE7BDCFF15368B50423BF501E6382D7705E01A665

Function 008DDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 008DDE42
gethostname.WSOCK32(?,00000100), ref: 008DDE5C
gethostbyname.WSOCK32(?), ref: 008DDE69
inet_ntoa.WSOCK32(?), ref: 008DDEAB
_strcat.LIBCMT ref: 008DDEB9
WSACleanup.WSOCK32 ref: 008DDEDE

Strings

0.0.0.0, xrefs: 008DDE87

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 85adefba4d900b8a2fab35827b3717309284acace6aecd5ccd06ba197c3c1500
Instruction ID: 5fcea60b7e49e96f166a7c57150b1b3781f70b7319035fd1ffb87af948814ccc
Opcode Fuzzy Hash: 85adefba4d900b8a2fab35827b3717309284acace6aecd5ccd06ba197c3c1500
Instruction Fuzzy Hash: 91110A71504214AFCB207B64DC0AEDE776CFF50715F04036AF545DA291EF708A819B61

Function 00909F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00889BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00889BB2

GetSystemMetrics.USER32(0000000F), ref: 00909FC7
GetSystemMetrics.USER32(0000000F), ref: 00909FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0090A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0090A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0090A263
ShowWindow.USER32(00000003,00000000), ref: 0090A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0090A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0090A2CA

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: ca77f23fd95988ec980e1105ecfa81c8440655c3bce8b3136711f40b6b43fc91
Instruction ID: 987018b422b114cbbdc1c3c9b4c188462eb7bb0a899ce995b9420a9993302db5
Opcode Fuzzy Hash: ca77f23fd95988ec980e1105ecfa81c8440655c3bce8b3136711f40b6b43fc91
Instruction Fuzzy Hash: AEB1BA31604319EFDF14CF68C985BAE7BB6FF48711F088069EC59AB295DB31A940CB91

Function 008DED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 008DED2A
_wcslen.LIBCMT ref: 008DED3B
_wcslen.LIBCMT ref: 008DED79
_wcslen.LIBCMT ref: 008DEDAF
_wcslen.LIBCMT ref: 008DEDDF
_wcslen.LIBCMT ref: 008DEDEF
_wcslen.LIBCMT ref: 008DEE2B
_wcslen.LIBCMT ref: 008DEE5A

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 1d6e4037c5ff705c4d93a699bcf4eac5eb799e3ba3c87d4b1b4b0151cb8c27eb
Instruction ID: cfd5c3ca30091633e787af66f3547b4fec7d5163bf521dde08a7dc93c4a071c0
Opcode Fuzzy Hash: 1d6e4037c5ff705c4d93a699bcf4eac5eb799e3ba3c87d4b1b4b0151cb8c27eb
Instruction Fuzzy Hash: 19416D65C1021866CF11FBF8888A9CFB7A8FF45710F548562F518E3622FB34E255C3AA

Function 0088F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,008C682C,00000004,00000000,00000000), ref: 0088F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,008C682C,00000004,00000000,00000000), ref: 008CF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,008C682C,00000004,00000000,00000000), ref: 008CF454

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 919ab7a31900167c01f0485488f82b9040bda9a66e380daca137c7bc0e1819e0
Instruction ID: f1d557988237209827249ca3e1a5cf58ecaba468a4656553617a7173fd5d2e7a
Opcode Fuzzy Hash: 919ab7a31900167c01f0485488f82b9040bda9a66e380daca137c7bc0e1819e0
Instruction Fuzzy Hash: C241D931618680BED739AB3D8C88B2A7FA2FB56314F14453CE387D6663D635E880DB11

Function 00902D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00902D1B
GetDC.USER32(00000000), ref: 00902D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00902D2E
ReleaseDC.USER32(00000000,00000000), ref: 00902D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00902D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00902D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00905A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00902DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00902DE1

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 4c8178d2e01ebcd9e8f88ded1e01bed1e9354a42d85d5a39381271dab5e1dd3b
Instruction ID: 63f26902be9ca54ca1bb73bce30a20d97fb54ab5fae4d7666620287eaacfd412
Opcode Fuzzy Hash: 4c8178d2e01ebcd9e8f88ded1e01bed1e9354a42d85d5a39381271dab5e1dd3b
Instruction Fuzzy Hash: 6A3167B2215214BFEF218F50CC8AFEB3BADEB09715F044165FE089A2D1C6759C51DBA4

Function 008D5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 008D5637
_memcmp.LIBVCRUNTIME ref: 008D5659
_memcmp.LIBVCRUNTIME ref: 008D5671
_memcmp.LIBVCRUNTIME ref: 008D5684
_memcmp.LIBVCRUNTIME ref: 008D569E
_memcmp.LIBVCRUNTIME ref: 008D56B1
_memcmp.LIBVCRUNTIME ref: 008D56C9
_memcmp.LIBVCRUNTIME ref: 008D56E4

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 55e20c16f0e73cdb3a53f28803633ed5a71f3cae33f5d979bb6be084cdcc0caf
Instruction ID: 0530305b9095c79378573bf8f9d948c27c377c436c24f25727989338a86849a6
Opcode Fuzzy Hash: 55e20c16f0e73cdb3a53f28803633ed5a71f3cae33f5d979bb6be084cdcc0caf
Instruction Fuzzy Hash: DC212C61648A19BBEA1565149D97FFA336CFF70388F580123FD04DAB81F724EE1085A6

Function 008F4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 008F502E, 008F5383
Not an Object type, xrefs: 008F5007

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 8041f9e9bf2fd1c895b81b1c21616cdc531ac8de6167e5f28198cc1bfcb778f7
Instruction ID: c859bb54715489b121e1e95b322012245eb78b0fdf18bb0d06c2a4627f1f6161
Opcode Fuzzy Hash: 8041f9e9bf2fd1c895b81b1c21616cdc531ac8de6167e5f28198cc1bfcb778f7
Instruction Fuzzy Hash: 34D17E71A0060EAFDB14CFA8C881BBEB7B5FB48344F148569EA15EB281E770E945CB50

Function 008B1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,008B17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 008B15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008B17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008B1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,008B17FB,?,008B17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008B16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008B17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008B16FB

Part of subcall function 008A3820: RtlAllocateHeap.NTDLL(00000000,?,00941444,?,0088FDF5,?,?,0087A976,00000010,00941440,008713FC,?,008713C6,?,00871129), ref: 008A3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,008B17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008B1777
__freea.LIBCMT ref: 008B17A2
__freea.LIBCMT ref: 008B17AE

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: cf070cfde931178b137c7ef4a57bcedd91f387f874b2282674554aad2c92fd9e
Instruction ID: caba2d7bcab7c8eabca71cd34716738e084a2631feb17e274e51bfd98c5ef548
Opcode Fuzzy Hash: cf070cfde931178b137c7ef4a57bcedd91f387f874b2282674554aad2c92fd9e
Instruction Fuzzy Hash: 3A91C671E102169EDF208E64C8A9AEE7BB5FF49314F980659E801EF345DB35DD44C760

Function 008F4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008F4648
VariantInit.OLEAUT32(?), ref: 008F4749
VariantClear.OLEAUT32(?), ref: 008F4753
VariantClear.OLEAUT32(?), ref: 008F47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 008F472C
Null Object assignment in FOR..IN loop, xrefs: 008F45D8, 008F4706, 008F47BE

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: b56a99a2e52b3df70abdf1649dc96970a3bf7c48c3c473c8b246fbdb9dca3f65
Instruction ID: c932a7ac536094552394f3174f5a84b946650aa060f48d5fd47b24c825c6e6e1
Opcode Fuzzy Hash: b56a99a2e52b3df70abdf1649dc96970a3bf7c48c3c473c8b246fbdb9dca3f65
Instruction Fuzzy Hash: 9E916871A0021DABDB20DFA5C884EAFBBB8FF46714F10855AF605EB280D7709945CFA0

Function 008E1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 008E125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 008E1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 008E12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008E12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008E135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008E13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008E1430

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 00e89b729efdc7fd996da614480e1ba192a14e76466fad10db80cda1305e3ac9
Instruction ID: af5c91d82bca7ecbaad3a7bc852703dbc2bf2510892f7b1c71d7741f7ebf0b6f
Opcode Fuzzy Hash: 00e89b729efdc7fd996da614480e1ba192a14e76466fad10db80cda1305e3ac9
Instruction Fuzzy Hash: 5D91E575A002599FDF00DF99C888BBEB7B5FF46319F144029EA00E7292D774E941CB95

Function 0088948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: e50cf1a0528d4dedc5c7638a78b6aad8ee6539e51e727ee55e14737e4137fa7b
Instruction ID: 2e8fc3d0f67d52a79ff7c1a63c8c967642d5cfd2fadf7a5c4844204b2ee33098
Opcode Fuzzy Hash: e50cf1a0528d4dedc5c7638a78b6aad8ee6539e51e727ee55e14737e4137fa7b
Instruction Fuzzy Hash: 96912371944219EFCB10DFA9C884AEEBBB8FF48320F188159E555F7251D374AA42DB60

Function 008F3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008F396B
CharUpperBuffW.USER32(?,?), ref: 008F3A7A
_wcslen.LIBCMT ref: 008F3A8A
VariantClear.OLEAUT32(?), ref: 008F3C1F

Part of subcall function 008E0CDF: VariantInit.OLEAUT32(00000000), ref: 008E0D1F
Part of subcall function 008E0CDF: VariantCopy.OLEAUT32(?,?), ref: 008E0D28
Part of subcall function 008E0CDF: VariantClear.OLEAUT32(?), ref: 008E0D34

Strings

AUTOIT.ERROR, xrefs: 008F3A80, 008F3A85
Incorrect Parameter format, xrefs: 008F39A6, 008F3BA1

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: a461e9c59395941b960c1f89e24e859ae8a3af5d28beeda0497e17f40381702a
Instruction ID: e12ca0ec946ab25f979bdca6dc230925966e45f5a4cdeb88792d6f539b64d31f
Opcode Fuzzy Hash: a461e9c59395941b960c1f89e24e859ae8a3af5d28beeda0497e17f40381702a
Instruction Fuzzy Hash: 0C9134746083099FC704EF28C49192AB7E4FB89314F14892EF989DB351DB31EE45CB92

Function 008F4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 008D000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,008CFF41,80070057,?,?,?,008D035E), ref: 008D002B
Part of subcall function 008D000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008CFF41,80070057,?,?), ref: 008D0046
Part of subcall function 008D000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008CFF41,80070057,?,?), ref: 008D0054
Part of subcall function 008D000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008CFF41,80070057,?), ref: 008D0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 008F4C51
_wcslen.LIBCMT ref: 008F4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 008F4DCF
CoTaskMemFree.OLE32(?), ref: 008F4DDA

Strings

NULL Pointer assignment, xrefs: 008F4E23, 008F4E52

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: a9e7085ac80162df15942bffc22394fd1ad4ec73e288d4094d5d0e9c15967f31
Instruction ID: 50da55e659ec8df03727af33a943415222bc60d80862a9a0293244507b8ef8c3
Opcode Fuzzy Hash: a9e7085ac80162df15942bffc22394fd1ad4ec73e288d4094d5d0e9c15967f31
Instruction Fuzzy Hash: F291F571D0021DAFDF14DFA4C891AEEBBB8FF48314F10816AE919E7251EB349A448F61

Function 009020FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00902183
GetMenuItemCount.USER32(00000000), ref: 009021B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 009021DD
_wcslen.LIBCMT ref: 00902213
GetMenuItemID.USER32(?,?), ref: 0090224D
GetSubMenu.USER32(?,?), ref: 0090225B

Part of subcall function 008D3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 008D3A57
Part of subcall function 008D3A3D: GetCurrentThreadId.KERNEL32 ref: 008D3A5E
Part of subcall function 008D3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008D25B3), ref: 008D3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009022E3

Part of subcall function 008DE97B: Sleep.KERNEL32 ref: 008DE9F3

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 083555eb9c34b030fbdd29a569de96a6d21dd43c0a77ae63a393a6d6f8debceb
Instruction ID: a74fbea71e01487b84814f8804b677170d6348153064a7ad5161f55e3a795448
Opcode Fuzzy Hash: 083555eb9c34b030fbdd29a569de96a6d21dd43c0a77ae63a393a6d6f8debceb
Instruction Fuzzy Hash: 51718175E04205AFCB14EFA8C845AAEB7F5FF48310F148459E926EB391DB34ED418B91

Function 00907E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01305AC8), ref: 00907F37
IsWindowEnabled.USER32(01305AC8), ref: 00907F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0090801E
SendMessageW.USER32(01305AC8,000000B0,?,?), ref: 00908051
IsDlgButtonChecked.USER32(?,?), ref: 00908089
GetWindowLongW.USER32(01305AC8,000000EC), ref: 009080AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 009080C3

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 12bc116f9fe5869e71d221b36265cf4a19e9c5f114bd079654406953ab3c70b9
Instruction ID: 1008403ea595f88905858289b6e11efef3200a6535f0897304ac1572a6f59b5f
Opcode Fuzzy Hash: 12bc116f9fe5869e71d221b36265cf4a19e9c5f114bd079654406953ab3c70b9
Instruction Fuzzy Hash: 42716174A08206AFEF259F94CC94FEABBB9EF49310F144459FA45972E1CB31B845DB20

Function 008DAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 008DAEF9
GetKeyboardState.USER32(?), ref: 008DAF0E
SetKeyboardState.USER32(?), ref: 008DAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 008DAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 008DAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 008DAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 008DB020

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 9c8226ba77ea142dcaf631f3f46474382384c4cebcb50f2322e80b69c0d0807f
Instruction ID: 0acfbd2f69dea3999e7a3f2bf8eea3072a441ce5ad63820b052a9a73a01c1600
Opcode Fuzzy Hash: 9c8226ba77ea142dcaf631f3f46474382384c4cebcb50f2322e80b69c0d0807f
Instruction Fuzzy Hash: 955103A16047D57DFB3A43348805BBB7FE9AB06304F18868AE1E5C55C2C799ACC8D362

Function 008DACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 008DAD19
GetKeyboardState.USER32(?), ref: 008DAD2E
SetKeyboardState.USER32(?), ref: 008DAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 008DADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 008DADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 008DAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 008DAE38

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e513602c173000145f040c0e381b1e30ac048135a98b1b04c4088181a9b93d5d
Instruction ID: 22ecf0609e79a397f7389b870e7175d964285491554059715f521a0e8a1b2766
Opcode Fuzzy Hash: e513602c173000145f040c0e381b1e30ac048135a98b1b04c4088181a9b93d5d
Instruction Fuzzy Hash: 0251E7A15047D53DFB3A4334CC85B7A7F99FB46300F18868AE1D5D6AC2C294EC84E762

Function 008A542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(008B3CD6,?,?,?,?,?,?,?,?,008A5BA3,?,?,008B3CD6,?,?), ref: 008A5470
__fassign.LIBCMT ref: 008A54EB
__fassign.LIBCMT ref: 008A5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,008B3CD6,00000005,00000000,00000000), ref: 008A552C
WriteFile.KERNEL32(?,008B3CD6,00000000,008A5BA3,00000000,?,?,?,?,?,?,?,?,?,008A5BA3,?), ref: 008A554B
WriteFile.KERNEL32(?,?,00000001,008A5BA3,00000000,?,?,?,?,?,?,?,?,?,008A5BA3,?), ref: 008A5584

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 6236e8eae3e99b411d54566ae277a28855db71d99294eca326a5351783496db1
Instruction ID: 13e3238ac1899dd97adf5697ba60b8bc0a903afbd6fa114d9eb8d38e854d1180
Opcode Fuzzy Hash: 6236e8eae3e99b411d54566ae277a28855db71d99294eca326a5351783496db1
Instruction Fuzzy Hash: 6451A5B1D046499FEB10CFA8D855AEEBBF9FF0A300F14415AFA55E7291D7309A81CB60

Function 00892D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00892D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00892D53
_ValidateLocalCookies.LIBCMT ref: 00892DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00892E0C
_ValidateLocalCookies.LIBCMT ref: 00892E61

Strings

csm, xrefs: 00892DF6

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: e97dc51be5290811dba5f67676f2b57fa42adbfe171f553c5ee05048729f1a8a
Instruction ID: bac4ad87b4dfd8ac3f22ac4bed4865d01ded59d1d97241a645e984ef08f93670
Opcode Fuzzy Hash: e97dc51be5290811dba5f67676f2b57fa42adbfe171f553c5ee05048729f1a8a
Instruction Fuzzy Hash: 44419234A0120DABCF14FF68C885A9EBBB5FF45328F188165E814EB392D7319A55CBD1

Function 008F10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008F304E: inet_addr.WSOCK32(?), ref: 008F307A
Part of subcall function 008F304E: _wcslen.LIBCMT ref: 008F309B

socket.WSOCK32(00000002,00000001,00000006), ref: 008F1112
WSAGetLastError.WSOCK32 ref: 008F1121
WSAGetLastError.WSOCK32 ref: 008F11C9
closesocket.WSOCK32(00000000), ref: 008F11F9

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: b8e09004cfe72efeb494150b0e9c39ea010cb2edec84ffa24f8b7934662b78db
Instruction ID: 55d085a5a0beaa6205250b1e58db1a1794c524efbc4977a85138df60d19b8df4
Opcode Fuzzy Hash: b8e09004cfe72efeb494150b0e9c39ea010cb2edec84ffa24f8b7934662b78db
Instruction Fuzzy Hash: 4A41C271600208EFDB109F28C888BB9B7A9FF45328F148159FE19DB291C770ED81CBA1

Function 008DCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 008DDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008DCF22,?), ref: 008DDDFD

Part of subcall function 008DDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008DCF22,?), ref: 008DDE16

lstrcmpiW.KERNEL32(?,?), ref: 008DCF45
MoveFileW.KERNEL32(?,?), ref: 008DCF7F
_wcslen.LIBCMT ref: 008DD005
_wcslen.LIBCMT ref: 008DD01B
SHFileOperationW.SHELL32(?), ref: 008DD061

Strings

\*.*, xrefs: 008DCFF3

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: e407f366686ae0bc83578c9e4a16df413304574bb49731b35c5c47aff50e3326
Instruction ID: d0dcbfd901e2731374ee6992e59fddcee123c688a64aac7325f4b78385f5145b
Opcode Fuzzy Hash: e407f366686ae0bc83578c9e4a16df413304574bb49731b35c5c47aff50e3326
Instruction Fuzzy Hash: 034163B19452195FDF12EBA4C981EDEB7B9FF08380F0001E7E549EB241EE74AA48CB51

Function 00902DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00902E1C
GetWindowLongW.USER32(?,000000F0), ref: 00902E4F
GetWindowLongW.USER32(?,000000F0), ref: 00902E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00902EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00902EE0
GetWindowLongW.USER32(?,000000F0), ref: 00902EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00902F0B

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 6128f12715adcbf18c63552b61fa86d074299843e5c537c49a92cf227a79a241
Instruction ID: ad81c6a4e5b5f9b1e9a49f67c152deac849a72112c819c94f63e1d708400b27f
Opcode Fuzzy Hash: 6128f12715adcbf18c63552b61fa86d074299843e5c537c49a92cf227a79a241
Instruction Fuzzy Hash: 01310634698151AFDB21CF58DC88F6537E9FB8AB50F150164FA058F2F2CB71A880EB41

Function 008D7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008D7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008D778F
SysAllocString.OLEAUT32(00000000), ref: 008D7792
SysAllocString.OLEAUT32(?), ref: 008D77B0
SysFreeString.OLEAUT32(?), ref: 008D77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 008D77DE
SysAllocString.OLEAUT32(?), ref: 008D77EC

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 637a69a19edfe05cacad5ec2641bb3832d7984982bfb9e3ecc209098db70aeaa
Instruction ID: f30b93acf30f132ec0b3d9a0679d89195b182a098b8accd5ebc8cb966d83da11
Opcode Fuzzy Hash: 637a69a19edfe05cacad5ec2641bb3832d7984982bfb9e3ecc209098db70aeaa
Instruction Fuzzy Hash: AE219576608219AFDB10EFA8CC84CBB77ACFB097647048626FA15DB2A1E670DC418764

Function 008D77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008D7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008D7868
SysAllocString.OLEAUT32(00000000), ref: 008D786B
SysAllocString.OLEAUT32 ref: 008D788C
SysFreeString.OLEAUT32 ref: 008D7895
StringFromGUID2.OLE32(?,?,00000028), ref: 008D78AF
SysAllocString.OLEAUT32(?), ref: 008D78BD

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 44e285badb3707443014401bec20f26156a06454d7b74cec4309f368c2aaa8cb
Instruction ID: b7ba00616c8fa0d54efb7b0bc5e54f50eea13eae41b0117dc8053b18a074cc60
Opcode Fuzzy Hash: 44e285badb3707443014401bec20f26156a06454d7b74cec4309f368c2aaa8cb
Instruction Fuzzy Hash: FB214475608108AFDB10AFA8DC89DAA77ECFB097607108236F915CB2A1E674DC41DB68

Function 008E04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 008E04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008E052E

Strings

nul, xrefs: 008E0567

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 1aa3d50539942dda9ba1b1f47aa6f43a06e4341e0363e8d0150569a050d61c97
Instruction ID: 6a8b63666489e708f038dc0d72829a536f717531ad38ce8d0b063ce91767698c
Opcode Fuzzy Hash: 1aa3d50539942dda9ba1b1f47aa6f43a06e4341e0363e8d0150569a050d61c97
Instruction Fuzzy Hash: 88212AB5504345AFDB209F6ADC44A9A7BB4FF46724F604E19F8A1E62E0D7B0D980DF20

Function 008E05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 008E05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008E0601

Strings

nul, xrefs: 008E0639

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 79a7639a59d5b2bba985161c989f0b0139b74966b6218c7fc9ce9e31dcde3c87
Instruction ID: 1dab7e7a4616041ed4530fe269ecafaad6958effa0a3c9cb081be47917d0ff4e
Opcode Fuzzy Hash: 79a7639a59d5b2bba985161c989f0b0139b74966b6218c7fc9ce9e31dcde3c87
Instruction Fuzzy Hash: FE215C755003459FDB209F6A9804A9A77A4FFA6724F240F19F8A1E62E0D6B098A0CF10

Function 009040AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0087600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0087604C
Part of subcall function 0087600E: GetStockObject.GDI32(00000011), ref: 00876060
Part of subcall function 0087600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0087606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00904112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0090411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0090412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00904139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00904145

Strings

Msctls_Progress32, xrefs: 009040E3

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: af272d942879459aa8d1b4729870456de73aeea43fb3cfd15a03f59c3c6b1123
Instruction ID: c0e5522507e5fcfb3001a4a01263578d832c6398fb8a8373c5a555d40984e445
Opcode Fuzzy Hash: af272d942879459aa8d1b4729870456de73aeea43fb3cfd15a03f59c3c6b1123
Instruction Fuzzy Hash: 871193B215011DBEEF218F64CC85EE77F6DEF18798F004110B718E2190CA729C61DBA4

Function 008AD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008AD7A3: _free.LIBCMT ref: 008AD7CC

_free.LIBCMT ref: 008AD82D

Part of subcall function 008A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008AD7D1,00000000,00000000,00000000,00000000,?,008AD7F8,00000000,00000007,00000000,?,008ADBF5,00000000), ref: 008A29DE
Part of subcall function 008A29C8: GetLastError.KERNEL32(00000000,?,008AD7D1,00000000,00000000,00000000,00000000,?,008AD7F8,00000000,00000007,00000000,?,008ADBF5,00000000,00000000), ref: 008A29F0

_free.LIBCMT ref: 008AD838
_free.LIBCMT ref: 008AD843
_free.LIBCMT ref: 008AD897
_free.LIBCMT ref: 008AD8A2
_free.LIBCMT ref: 008AD8AD
_free.LIBCMT ref: 008AD8B8

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: b71c5759d9493e1b6ab6ccd71d39aa440f5665ef5ed3824197578a34cd4075ff
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 58113D71540B04AAE531BFB8CC47FCB7BDCFF02700F440825B29AE6CA2DA65B5058652

Function 008DDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 008DDA74
LoadStringW.USER32(00000000), ref: 008DDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 008DDA91
LoadStringW.USER32(00000000), ref: 008DDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 008DDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 008DDAB9

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 9d365c54b1917b29b14deef9f299ad05cd811bcccfc8a41b68b2d2efd6f1ac6d
Instruction ID: 6e74a13623ea6268e8353e83c7d43cb2f16ec366be89b3601b5736d47c578d04
Opcode Fuzzy Hash: 9d365c54b1917b29b14deef9f299ad05cd811bcccfc8a41b68b2d2efd6f1ac6d
Instruction Fuzzy Hash: 590186F69043187FE750ABA4DD89EEB336CE708305F404692F746E2081E6749E844F74

Function 008E096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(012FF4C8,012FF4C8), ref: 008E097B
EnterCriticalSection.KERNEL32(012FF4A8,00000000), ref: 008E098D
TerminateThread.KERNEL32(?,000001F6), ref: 008E099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 008E09A9
CloseHandle.KERNEL32(?), ref: 008E09B8
InterlockedExchange.KERNEL32(012FF4C8,000001F6), ref: 008E09C8
LeaveCriticalSection.KERNEL32(012FF4A8), ref: 008E09CF

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: e8ebbd3ceb1aeb08b7a4e241173dd88eb5528bc081d404fe07a0cde2d5e3fcd0
Instruction ID: 0c92de8085aa507457dba42ca0c549ebf7db779de04765d6dcb1a48ba5fe5f06
Opcode Fuzzy Hash: e8ebbd3ceb1aeb08b7a4e241173dd88eb5528bc081d404fe07a0cde2d5e3fcd0
Instruction Fuzzy Hash: ABF03171456502BFD7416F94EE8CBD67B35FF01702F401215F10190CA1C77494A5DF90

Function 008F1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 008F1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 008F1DE1
WSAGetLastError.WSOCK32 ref: 008F1DF2
htons.WSOCK32(?), ref: 008F1EDB
inet_ntoa.WSOCK32(?), ref: 008F1E8C

Part of subcall function 008D39E8: _strlen.LIBCMT ref: 008D39F2

Part of subcall function 008F3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,008EEC0C), ref: 008F3240

_strlen.LIBCMT ref: 008F1F35

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: c77228676078c748c791fbc90545eb546ef2de1f8f9b38c87802feb32e3b4c5f
Instruction ID: a29c59cea261a04695d3ba0e26654b804347172de0ffcad396fa8f81f82b14b6
Opcode Fuzzy Hash: c77228676078c748c791fbc90545eb546ef2de1f8f9b38c87802feb32e3b4c5f
Instruction Fuzzy Hash: A9B1BE30204344AFC724EF28C889E3A7BA5FF85318F54855CF55A9B2A2DB31ED45CB92

Function 00875D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00875D30
GetWindowRect.USER32(?,?), ref: 00875D71
ScreenToClient.USER32(?,?), ref: 00875D99
GetClientRect.USER32(?,?), ref: 00875ED7
GetWindowRect.USER32(?,?), ref: 00875EF8

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: c6e8c3d19612f7f43743bf243e4512faf4681093fa1b6a568845d11fe6a1cca0
Instruction ID: fc1f42a078a210cd0f8c29d9d19cc5d4ef523d6e6d17c2e2f26901730813448b
Opcode Fuzzy Hash: c6e8c3d19612f7f43743bf243e4512faf4681093fa1b6a568845d11fe6a1cca0
Instruction Fuzzy Hash: F0B17735A00A4ADBDB10CFA9C4817EEBBF1FF58310F14951AE8AAD7254DB30EA40DB50

Function 008A01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 008A00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008A00D6
__allrem.LIBCMT ref: 008A00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008A010B
__allrem.LIBCMT ref: 008A0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008A0140

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 84c86851604e99395b9e4c84146bed8f3c6d867898e153ec4ab569d0ef3fa8e4
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: B881C771A00B069BFB24AF6CCC41BAA73E9FF52764F244539F551D7A82EB70D9008B51

Function 008A61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,008982D9,008982D9,?,?,?,008A644F,00000001,00000001,8BE85006), ref: 008A6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,008A644F,00000001,00000001,8BE85006,?,?,?), ref: 008A62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008A63D8
__freea.LIBCMT ref: 008A63E5

Part of subcall function 008A3820: RtlAllocateHeap.NTDLL(00000000,?,00941444,?,0088FDF5,?,?,0087A976,00000010,00941440,008713FC,?,008713C6,?,00871129), ref: 008A3852

__freea.LIBCMT ref: 008A63EE
__freea.LIBCMT ref: 008A6413

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 4618e9ab21a01c98c7d5d3c3fd043daa8c22a3f5a524166dbfccdf22a6bb918d
Instruction ID: 8e0184c18aac29f6034b715578b403f23f0b5e08e86cb3b124edaf0e481916e9
Opcode Fuzzy Hash: 4618e9ab21a01c98c7d5d3c3fd043daa8c22a3f5a524166dbfccdf22a6bb918d
Instruction Fuzzy Hash: F351BF72A00216AFFF258F64CC81EAF76A9FF46710F184629F905D6644FB34DC61D660

Function 008FBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

Part of subcall function 008FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008FB6AE,?,?), ref: 008FC9B5
Part of subcall function 008FC998: _wcslen.LIBCMT ref: 008FC9F1
Part of subcall function 008FC998: _wcslen.LIBCMT ref: 008FCA68
Part of subcall function 008FC998: _wcslen.LIBCMT ref: 008FCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008FBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008FBD25
RegCloseKey.ADVAPI32(00000000), ref: 008FBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 008FBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 008FBDF3
RegCloseKey.ADVAPI32(?), ref: 008FBDFF

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 166aeb6d4b9c91285a5e9a593cfb49bb9a0f6a01b6f38d06ea37150f5cc2fdf4
Instruction ID: 5b32e6fecfdb354c92928161f8dd02950433e9a13ceaaa103d604e5e93e4a4f4
Opcode Fuzzy Hash: 166aeb6d4b9c91285a5e9a593cfb49bb9a0f6a01b6f38d06ea37150f5cc2fdf4
Instruction Fuzzy Hash: 3981A270108245EFD714DF24C881E2ABBE5FF84348F14855CF6598B2A2DB31ED45CB92

Function 008CF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 008CF7B9
SysAllocString.OLEAUT32(00000001), ref: 008CF860
VariantCopy.OLEAUT32(008CFA64,00000000), ref: 008CF889
VariantClear.OLEAUT32(008CFA64), ref: 008CF8AD
VariantCopy.OLEAUT32(008CFA64,00000000), ref: 008CF8B1
VariantClear.OLEAUT32(?), ref: 008CF8BB

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 16c14c47a9e902b94edab9eb5055e8af92c20c2a9b35a7215057cd04f89c071f
Instruction ID: 54a6303aa16fce4236f0b5a469085f8814300afcc8c8aadcf26f7831b8f471e9
Opcode Fuzzy Hash: 16c14c47a9e902b94edab9eb5055e8af92c20c2a9b35a7215057cd04f89c071f
Instruction Fuzzy Hash: 1E51E331600314ABEF24AB69D895F29B7B6FF45314B20846AEA05DF297DB70CC44C757

Function 008E910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00877620: _wcslen.LIBCMT ref: 00877625

Part of subcall function 00876B57: _wcslen.LIBCMT ref: 00876B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 008E94E5
_wcslen.LIBCMT ref: 008E9506
_wcslen.LIBCMT ref: 008E952D
GetSaveFileNameW.COMDLG32(00000058), ref: 008E9585

Strings

X, xrefs: 008E9412

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: c11cf81998520571ab545e1b549a380dc5b4ea2740b684c85a0272ebe46a5670
Instruction ID: 7a4524502062b0033b4fe9006c21efc2fb0f4d4f150e9708995f474a6e340f6c
Opcode Fuzzy Hash: c11cf81998520571ab545e1b549a380dc5b4ea2740b684c85a0272ebe46a5670
Instruction Fuzzy Hash: E5E1AF315083409FD724EF29C881A6AB7E0FF86314F14896DF899DB2A2DB71DD45CB92

Function 0088920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00889BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00889BB2

BeginPaint.USER32(?,?,?), ref: 00889241
GetWindowRect.USER32(?,?), ref: 008892A5
ScreenToClient.USER32(?,?), ref: 008892C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008892D3
EndPaint.USER32(?,?,?,?,?), ref: 00889321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 008C71EA

Part of subcall function 00889339: BeginPath.GDI32(00000000), ref: 00889357

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 546c90569972ea1dd072e4ff79b5c782b919940b62cacf8086fe07ae28e611a8
Instruction ID: 84d55b1b8ee8abcd8fafa5b857bc3a1cdfa8b7dab8bfb7bad58b0ce411c15af9
Opcode Fuzzy Hash: 546c90569972ea1dd072e4ff79b5c782b919940b62cacf8086fe07ae28e611a8
Instruction Fuzzy Hash: A2419D70108201AFD721EF64DC84FBA7BB8FB56324F180269F9A5C72E1C7719845EB62

Function 008E07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 008E080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 008E0847
EnterCriticalSection.KERNEL32(?), ref: 008E0863
LeaveCriticalSection.KERNEL32(?), ref: 008E08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 008E08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 008E0921

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: e9bfe3c548949fdd19745213a7d2e40ad7e063c47fe9b1de081f57441b6d879a
Instruction ID: 8e8e191644a4039e8168b7a837e55030a4ccb282ac60318addcdee9ebcb89342
Opcode Fuzzy Hash: e9bfe3c548949fdd19745213a7d2e40ad7e063c47fe9b1de081f57441b6d879a
Instruction Fuzzy Hash: 5C415671900205EFDF14AF58DC85AAA77B8FF45300B1444A5E900DE297DB70DEA1DFA1

Function 009081DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,008CF3AB,00000000,?,?,00000000,?,008C682C,00000004,00000000,00000000), ref: 0090824C
EnableWindow.USER32(?,00000000), ref: 00908272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 009082D1
ShowWindow.USER32(?,00000004), ref: 009082E5
EnableWindow.USER32(?,00000001), ref: 0090830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0090832F

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 90a34274ae268553621eabaacd7fe4dd05f99e4029af535899273648ef939ac8
Instruction ID: c48d14c2e69fa968cde2e170dae8d0046e5317c0745189575e058df4a5d593f3
Opcode Fuzzy Hash: 90a34274ae268553621eabaacd7fe4dd05f99e4029af535899273648ef939ac8
Instruction Fuzzy Hash: 0241D534705644EFDF25CF18D899FE57BE4FB4A754F180268E6984B2E2CB31A881DB40

Function 008D4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 008D4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 008D4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 008D4CEA
_wcslen.LIBCMT ref: 008D4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 008D4D10
_wcsstr.LIBVCRUNTIME ref: 008D4D1A

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 5e19b0dc1abfb6b44e360b8ddbfba37106b43d57f6ff8e3e591de244365a7de0
Instruction ID: 9fe091df673739a74e4176e64679b55707ff8d8f188ac3ac981b553f193376ce
Opcode Fuzzy Hash: 5e19b0dc1abfb6b44e360b8ddbfba37106b43d57f6ff8e3e591de244365a7de0
Instruction Fuzzy Hash: AE214972204205BFEB256B39DC09E3B7B9DFF45710F10522AF805CA292DE71CC0193A0

Function 008E581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00873AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00873A97,?,?,00872E7F,?,?,?,00000000), ref: 00873AC2

_wcslen.LIBCMT ref: 008E587B
CoInitialize.OLE32(00000000), ref: 008E5995
CoCreateInstance.OLE32(0090FCF8,00000000,00000001,0090FB68,?), ref: 008E59AE
CoUninitialize.OLE32 ref: 008E59CC

Strings

.lnk, xrefs: 008E5876, 008E58C1, 008E5985

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: c6be00a0086cc48dde41f3a929ed42a39f292a3fd5d7c5c263eccf017af2be64
Instruction ID: 2e8130565f778e3e18cbd65aaef581c182e74550533f3b5093e2f072c9e37c14
Opcode Fuzzy Hash: c6be00a0086cc48dde41f3a929ed42a39f292a3fd5d7c5c263eccf017af2be64
Instruction Fuzzy Hash: FFD155716086019FC714EF29C48096ABBE1FF8A728F14885DF889DB361DB31ED45CB92

Function 008D175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008D0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008D0FCA
Part of subcall function 008D0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008D0FD6
Part of subcall function 008D0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008D0FE5
Part of subcall function 008D0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008D0FEC
Part of subcall function 008D0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008D1002

GetLengthSid.ADVAPI32(?,00000000,008D1335), ref: 008D17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 008D17BA
HeapAlloc.KERNEL32(00000000), ref: 008D17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 008D17DA
GetProcessHeap.KERNEL32(00000000,00000000,008D1335), ref: 008D17EE
HeapFree.KERNEL32(00000000), ref: 008D17F5

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: f7da7c36161eedd77331d84b46e088c18bbf9b7f02764cd27fdf26019b73da19
Instruction ID: 896b1f691a5cdd06d1ebd03367be58a68db2af1b5b58babd11b59318c8babbae
Opcode Fuzzy Hash: f7da7c36161eedd77331d84b46e088c18bbf9b7f02764cd27fdf26019b73da19
Instruction Fuzzy Hash: D3118971618205FFDF109FA4CC49BAE7BB9FF45355F10421AE441D7224C735A940DB60

Function 008D14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008D14FF
OpenProcessToken.ADVAPI32(00000000), ref: 008D1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 008D1515
CloseHandle.KERNEL32(00000004), ref: 008D1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 008D154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 008D1563

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 7e17b18dc04177b0449ee62765863fce3be87213accc1d3caa8a9d2de034b8e3
Instruction ID: e3bae644f5088553ede57ab9f52d91c22db61d8846041172b8a87f4bbb7a9049
Opcode Fuzzy Hash: 7e17b18dc04177b0449ee62765863fce3be87213accc1d3caa8a9d2de034b8e3
Instruction Fuzzy Hash: F41117B2514209BFDF118F98ED49BDA7BBAFF48744F048215FA05E21A0C3758E60EB60

Function 00893382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00893379,00892FE5), ref: 00893390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0089339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008933B7
SetLastError.KERNEL32(00000000,?,00893379,00892FE5), ref: 00893409

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 6da13c6f64f5252fbcbe90772b4966021a0c4c152ac1b654090b9267ef45ca6e
Instruction ID: d3c4f591ef4e5afb9ec2dd8a93600e1263790e4f585a304314de836c9bbad6fb
Opcode Fuzzy Hash: 6da13c6f64f5252fbcbe90772b4966021a0c4c152ac1b654090b9267ef45ca6e
Instruction Fuzzy Hash: 2301247222D711BEEF2937787C859272A94FB253793280329F411D02F0EF114D027A45

Function 008A2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,008A5686,008B3CD6,?,00000000,?,008A5B6A,?,?,?,?,?,0089E6D1,?,00938A48), ref: 008A2D78
_free.LIBCMT ref: 008A2DAB
_free.LIBCMT ref: 008A2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0089E6D1,?,00938A48,00000010,00874F4A,?,?,00000000,008B3CD6), ref: 008A2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0089E6D1,?,00938A48,00000010,00874F4A,?,?,00000000,008B3CD6), ref: 008A2DEC
_abort.LIBCMT ref: 008A2DF2

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: a291a2f8e08ab46f297a79e8320951d1a6e7846e0dd22e4b2aaab36051ad4579
Instruction ID: 6d1aeafa1d128bb22b99ed211cf50fbecaa7921e29c11756e192f61b1094e82b
Opcode Fuzzy Hash: a291a2f8e08ab46f297a79e8320951d1a6e7846e0dd22e4b2aaab36051ad4579
Instruction Fuzzy Hash: 6CF0A471519A046BF632277DBC06F1B265AFFC37A5F250618F924D29D3FF2488016162

Function 00908A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00889639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00889693
Part of subcall function 00889639: SelectObject.GDI32(?,00000000), ref: 008896A2
Part of subcall function 00889639: BeginPath.GDI32(?), ref: 008896B9
Part of subcall function 00889639: SelectObject.GDI32(?,00000000), ref: 008896E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00908A4E
LineTo.GDI32(?,00000003,00000000), ref: 00908A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00908A70
LineTo.GDI32(?,00000000,00000003), ref: 00908A80
EndPath.GDI32(?), ref: 00908A90
StrokePath.GDI32(?), ref: 00908AA0

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: c52179808d3e8d5ce7b2d0af0d1dda1eabb6853d20da47c925b8de0fea96d4ac
Instruction ID: 6d3fcacdbf73ec63a08929bc960804cb3bcbc165214bb6a5917fdabc9305cf73
Opcode Fuzzy Hash: c52179808d3e8d5ce7b2d0af0d1dda1eabb6853d20da47c925b8de0fea96d4ac
Instruction Fuzzy Hash: E5110976104109FFEF129F94DC88EAA7F6CEB08390F048112FA599A1A1C7719D55EBA0

Function 008D51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008D5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 008D5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008D5230
ReleaseDC.USER32(00000000,00000000), ref: 008D5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 008D524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 008D5261

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 14efb63202febf19b0cf66d552ff2bda5a8b53d903c2ceea2c921fdc132bef5c
Instruction ID: ff5f9126e48bb23d0f5af5173952fdcfb17a0035947bad2073a1a14dea619cf3
Opcode Fuzzy Hash: 14efb63202febf19b0cf66d552ff2bda5a8b53d903c2ceea2c921fdc132bef5c
Instruction Fuzzy Hash: 99014FB5A04719BFEB109BA59C49F5EBFB8FB48751F044166FA04E7281DA709804DFA0

Function 00871BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00871BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00871BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00871C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00871C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00871C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00871C22

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: c4b6f13375f9ff4c3ffbc1af26b9229e8ffdad016280eed70d110b1024670be4
Instruction ID: 570fd1afc261f3e1153463b832deee2c304fd438f33f6f6741e4a6a76d5252c1
Opcode Fuzzy Hash: c4b6f13375f9ff4c3ffbc1af26b9229e8ffdad016280eed70d110b1024670be4
Instruction Fuzzy Hash: DB016CB090275A7DE3008F5A8C85B52FFE8FF19354F00411B915C47941C7F5A864CBE5

Function 008DEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 008DEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 008DEB46
GetWindowThreadProcessId.USER32(?,?), ref: 008DEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008DEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008DEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008DEB75

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 09934cc318158c6b761a01dde02bad44e38e0ca3d4adda61fc1c22d2e26b23d6
Instruction ID: 71d261b0b032f6963daae335ed9864ebb9776a947ae53df5273b1154155fd8ad
Opcode Fuzzy Hash: 09934cc318158c6b761a01dde02bad44e38e0ca3d4adda61fc1c22d2e26b23d6
Instruction Fuzzy Hash: F5F09AB2214119BFE7205B629C0EEEF3A7CEFCAF11F000259F601E1090D7A11A01EAB4

Function 008C7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 008C7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 008C7469
GetWindowDC.USER32(?), ref: 008C7475
GetPixel.GDI32(00000000,?,?), ref: 008C7484
ReleaseDC.USER32(?,00000000), ref: 008C7496
GetSysColor.USER32(00000005), ref: 008C74B0

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 5b45b341e7d15a2d20618e0ad47193fdda6da1a55e4403e89d0d739ce60b28bb
Instruction ID: 91da6a0045ac6b0145695f8c0a25b9d911b3bb8fd4619c4ee6f80ca2ee26b3bc
Opcode Fuzzy Hash: 5b45b341e7d15a2d20618e0ad47193fdda6da1a55e4403e89d0d739ce60b28bb
Instruction Fuzzy Hash: A2018B7141820AFFDB605F64DC08FAA7BB5FF04321F100264FA15A20A0CB311E41BF10

Function 008D1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 008D187F
UnloadUserProfile.USERENV(?,?), ref: 008D188B
CloseHandle.KERNEL32(?), ref: 008D1894
CloseHandle.KERNEL32(?), ref: 008D189C
GetProcessHeap.KERNEL32(00000000,?), ref: 008D18A5
HeapFree.KERNEL32(00000000), ref: 008D18AC

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 442514f329f9c323caba379569c1653dc24cb65150f052f50d224ccc33f01419
Instruction ID: 958b2c3799fb9828ffe69f494979f92b8f34f0041ca4e5ad02a6fcffd401830e
Opcode Fuzzy Hash: 442514f329f9c323caba379569c1653dc24cb65150f052f50d224ccc33f01419
Instruction Fuzzy Hash: D2E0E5B602C101BFDB015FA1ED0C90ABF39FF49B22B108320F225810B0CB329460EF90

Function 008DC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00877620: _wcslen.LIBCMT ref: 00877625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008DC6EE
_wcslen.LIBCMT ref: 008DC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008DC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 008DC7CA

Strings

0, xrefs: 008DC6AF

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: f892f87bd63bfcd81529c3037fbbb857f96c32771990a63f98061aa765fffa9a
Instruction ID: fb0b9bdade0a59b82a3b3a3064c0aa688a8dc73421e53d795b6b0273b4bb38bc
Opcode Fuzzy Hash: f892f87bd63bfcd81529c3037fbbb857f96c32771990a63f98061aa765fffa9a
Instruction Fuzzy Hash: B951DC716183029BD724AF2CD885B6AB7E8FF89314F040B2EF995D23A1DB70D844DB52

Function 008FAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 008FAEA3

Part of subcall function 00877620: _wcslen.LIBCMT ref: 00877625

GetProcessId.KERNEL32(00000000), ref: 008FAF38
CloseHandle.KERNEL32(00000000), ref: 008FAF67

Strings

@, xrefs: 008FAE72
<, xrefs: 008FAE6B

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: c6e4be4943710323bc98cbb703167a0ee778d2544f40e3b69e747d7a135f008a
Instruction ID: 8a48a6f0237ddda6269c69f88c172b47046576fcc5a940543e07e40cf04cf8f0
Opcode Fuzzy Hash: c6e4be4943710323bc98cbb703167a0ee778d2544f40e3b69e747d7a135f008a
Instruction Fuzzy Hash: 80713B75A00219DFCB14DF68C484AAEBBB4FF08314F148459E91AEB351CB74ED41CB92

Function 008D719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 008D7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 008D723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 008D724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008D72CF

Strings

DllGetClassObject, xrefs: 008D7242

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: b9d3da890a1bdf55f5373322021fc5c3455d2f9f80c5f123666203f71f334b44
Instruction ID: 0891586206ee4a8fb21b4df90c9131f1023d654924c82aba6de230783205150e
Opcode Fuzzy Hash: b9d3da890a1bdf55f5373322021fc5c3455d2f9f80c5f123666203f71f334b44
Instruction Fuzzy Hash: DE417FB1604204EFDB15CF54C884A9A7BA9FF44314F1482AEBD06DF30AE7B0D944CBA0

Function 00903D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00903E35
IsMenu.USER32(?), ref: 00903E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00903E92
DrawMenuBar.USER32 ref: 00903EA5

Strings

0, xrefs: 00903D89

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 2c2f336dbde31ab185b56440aa4fa0a722d72bf9d920a57595166f02661ec625
Instruction ID: 0e8f732c724307e26351188aa7824d955a45bb61eb1f20ea0b4ac604bf38cdf0
Opcode Fuzzy Hash: 2c2f336dbde31ab185b56440aa4fa0a722d72bf9d920a57595166f02661ec625
Instruction Fuzzy Hash: AA413879A15209EFDB10DF54D884EAABBBDFF49354F048229F905A7290D730AE44DF50

Function 008D1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

Part of subcall function 008D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008D3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 008D1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 008D1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 008D1EA9

Part of subcall function 00876B57: _wcslen.LIBCMT ref: 00876B6A

Strings

ComboBox, xrefs: 008D1DF0
ListBox, xrefs: 008D1E25

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: ff51a09144ce161f7380f8e6a1c4e8eda1d74bc66d38a68fd5e2df9ab86a1015
Instruction ID: 044a973bcf05606164b4adc331aaa5ac7866bf6d55580fb323a44c16c5c7dc34
Opcode Fuzzy Hash: ff51a09144ce161f7380f8e6a1c4e8eda1d74bc66d38a68fd5e2df9ab86a1015
Instruction Fuzzy Hash: B1210B71A00104BFDF14AB68DC4ACFFB7B9FF45354B14421AF815E72E1DB354A069621

Function 00902F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00902F8D
LoadLibraryW.KERNEL32(?), ref: 00902F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00902FA9
DestroyWindow.USER32(?), ref: 00902FB1

Strings

SysAnimate32, xrefs: 00902F68

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: a1f2eae07717688dfc50ad1096431dd9801aef564cf3665d959e853c53bc8f5b
Instruction ID: be9de8ecd798a2ee923887b6ee7de88c86b8d8f4723862f0e7c1358af8648656
Opcode Fuzzy Hash: a1f2eae07717688dfc50ad1096431dd9801aef564cf3665d959e853c53bc8f5b
Instruction Fuzzy Hash: 5E219D7120420AAFEB215F64DC88EBB77BDEB993A4F104618FA50D21D0D771DC91A760

Function 00894D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00894D1E,008A28E9,?,00894CBE,008A28E9,009388B8,0000000C,00894E15,008A28E9,00000002), ref: 00894D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00894DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00894D1E,008A28E9,?,00894CBE,008A28E9,009388B8,0000000C,00894E15,008A28E9,00000002,00000000), ref: 00894DC3

Strings

mscoree.dll, xrefs: 00894D86
CorExitProcess, xrefs: 00894D98

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: e144620e6a3e4bad2dee7aca57362f6fa4f807e463fc3eef49619d4cd283aa30
Instruction ID: d950f15050f3a4f61fe558acdf5772d28f7c9a7410c75d950277f620a45f09cf
Opcode Fuzzy Hash: e144620e6a3e4bad2dee7aca57362f6fa4f807e463fc3eef49619d4cd283aa30
Instruction Fuzzy Hash: A5F0AF74A14208BFDF11AF90DC09BEDBBF4EF84752F0401A4F809E22A0DB715981EB90

Function 00874E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00874EDD,?,00941418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00874E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00874EAE
FreeLibrary.KERNEL32(00000000,?,?,00874EDD,?,00941418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00874EC0

Strings

kernel32.dll, xrefs: 00874E94
Wow64DisableWow64FsRedirection, xrefs: 00874EA8

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 0f36a7e9d3ce9faf3fe97ec7eed107ddbe61c49d25e56d858a4d1b77af49272a
Instruction ID: 0fe67b2b90f83fe75b5470eee2780fa65f0da3bf25f47e8206808f820584c635
Opcode Fuzzy Hash: 0f36a7e9d3ce9faf3fe97ec7eed107ddbe61c49d25e56d858a4d1b77af49272a
Instruction Fuzzy Hash: B8E0C277A1E6229FD3721B25AC18B6F7698FFC2F76B054215FC08E2244DBA4CD0194E0

Function 00874E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,008B3CDE,?,00941418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00874E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00874E74
FreeLibrary.KERNEL32(00000000,?,?,008B3CDE,?,00941418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00874E87

Strings

kernel32.dll, xrefs: 00874E5B
Wow64RevertWow64FsRedirection, xrefs: 00874E6E

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: fce5224bab7eb738cb05a1c3abeeae9a4c8c2e3de317fcb444ee51ca62c52ef3
Instruction ID: 3d5bcc1fec900f54454cb5f10e3977e65cd2a417c9875fbd838a02780b84f583
Opcode Fuzzy Hash: fce5224bab7eb738cb05a1c3abeeae9a4c8c2e3de317fcb444ee51ca62c52ef3
Instruction Fuzzy Hash: 83D0C23351A6215BC6621B246C08D8B2A1CFF85B353459310B808E2158CF60CD01D6D0

Function 008E2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008E2C05
DeleteFileW.KERNEL32(?), ref: 008E2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 008E2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008E2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008E2CC0

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: f70742e3d6681fa26d89d30d3bfc24c5898b6d6160f41a2899b957e5800d3352
Instruction ID: 15842d1aba19781bfa6fbd85a98c068cb2691f66688c99ecd283ca29ec4b37ea
Opcode Fuzzy Hash: f70742e3d6681fa26d89d30d3bfc24c5898b6d6160f41a2899b957e5800d3352
Instruction Fuzzy Hash: 7CB14E71900129ABDF21EBA9CC85EDEB7BDFF49350F1040A6F609E6145EA709A448F62

Function 008FA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 008FA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 008FA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 008FA468
CloseHandle.KERNEL32(?), ref: 008FA63D

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 8ac4dff467601a8a3ca5a99563ea9d4e653a5f422a0ced1fa84bafb6c9fd3864
Instruction ID: 672cbd31eeb9b19784710d135873d0df74aa895443670a238ab2c380f9bb13e1
Opcode Fuzzy Hash: 8ac4dff467601a8a3ca5a99563ea9d4e653a5f422a0ced1fa84bafb6c9fd3864
Instruction Fuzzy Hash: 68A14DB16043019FD724DF28C886B2AB7E5FF44714F14895DF55ADB292DBB0EC418B92

Function 008ABB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00913700), ref: 008ABB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0094121C,000000FF,00000000,0000003F,00000000,?,?), ref: 008ABC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00941270,000000FF,?,0000003F,00000000,?), ref: 008ABC36
_free.LIBCMT ref: 008ABB7F

Part of subcall function 008A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008AD7D1,00000000,00000000,00000000,00000000,?,008AD7F8,00000000,00000007,00000000,?,008ADBF5,00000000), ref: 008A29DE
Part of subcall function 008A29C8: GetLastError.KERNEL32(00000000,?,008AD7D1,00000000,00000000,00000000,00000000,?,008AD7F8,00000000,00000007,00000000,?,008ADBF5,00000000,00000000), ref: 008A29F0

_free.LIBCMT ref: 008ABD4B

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: a6581b6358f6b8c11dd6b7043539cfc29c7c41a0b3cecb7d54f1c367682abae6
Instruction ID: 288221571c6324348d29b68ca1de18e1b15fb04e788dc4d4f7e59549370b6c77
Opcode Fuzzy Hash: a6581b6358f6b8c11dd6b7043539cfc29c7c41a0b3cecb7d54f1c367682abae6
Instruction Fuzzy Hash: 08511A71904219AFEB14EF699C41DAEB7BCFF43330F10026AE520D7692EB709E819B51

Function 008DE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 008DDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008DCF22,?), ref: 008DDDFD

Part of subcall function 008DDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008DCF22,?), ref: 008DDE16

Part of subcall function 008DE199: GetFileAttributesW.KERNEL32(?,008DCF95), ref: 008DE19A

lstrcmpiW.KERNEL32(?,?), ref: 008DE473
MoveFileW.KERNEL32(?,?), ref: 008DE4AC
_wcslen.LIBCMT ref: 008DE5EB
_wcslen.LIBCMT ref: 008DE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 008DE650

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: caa09b730df793d54a14271e390372dc2bd3ece5f0d4cad151874d7b768d4f9a
Instruction ID: c513ebd86e00f5d67186e25d23e2500cbd8fb69695f27e3c4e263080344fa494
Opcode Fuzzy Hash: caa09b730df793d54a14271e390372dc2bd3ece5f0d4cad151874d7b768d4f9a
Instruction Fuzzy Hash: 7D515FB24087455BCB24EB94D8819DB73ECFF94344F004A2FF589D7291EE74A688876B

Function 008FB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

Part of subcall function 008FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008FB6AE,?,?), ref: 008FC9B5
Part of subcall function 008FC998: _wcslen.LIBCMT ref: 008FC9F1
Part of subcall function 008FC998: _wcslen.LIBCMT ref: 008FCA68
Part of subcall function 008FC998: _wcslen.LIBCMT ref: 008FCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008FBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008FBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 008FBB63
RegCloseKey.ADVAPI32(?,?), ref: 008FBBA6
RegCloseKey.ADVAPI32(00000000), ref: 008FBBB3

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 9076bf4e3437d02cdef87ee7df9aafcf534adf16528b2b417c721e7120955fe8
Instruction ID: ea9ccec9fb3d6d9912d812b9981d9269010a98c6cc49b14dbcb4077a2f6276b7
Opcode Fuzzy Hash: 9076bf4e3437d02cdef87ee7df9aafcf534adf16528b2b417c721e7120955fe8
Instruction Fuzzy Hash: 6E61A071208245AFD714DF24C491E3ABBE9FF84318F14895CF5998B2A2DB31ED45CB92

Function 008D8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008D8BCD
VariantClear.OLEAUT32 ref: 008D8C3E
VariantClear.OLEAUT32 ref: 008D8C9D
VariantClear.OLEAUT32(?), ref: 008D8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 008D8D3B

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: fdb1e837269735d852826b37f9395a565fa3a14356586f895b1cde321ad7a42a
Instruction ID: b66716b378f71e01878093b8f0e8d66d6c3c731d40af6280b08659d66b62b9b0
Opcode Fuzzy Hash: fdb1e837269735d852826b37f9395a565fa3a14356586f895b1cde321ad7a42a
Instruction Fuzzy Hash: AC5159B5A10219EFCB14CF68C894AAAB7F9FF89314B15865AE905DB350E730E911CF90

Function 008E8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 008E8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 008E8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 008E8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 008E8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 008E8C5F

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: af20d4c4d33ea29d55bf39bc219a80f5538484d2d91d6f6424faeebc9c3d42b1
Instruction ID: db18e1931e524b0966811ae1b283cbe8ce588f634b51d71a1abc917ed1ec2773
Opcode Fuzzy Hash: af20d4c4d33ea29d55bf39bc219a80f5538484d2d91d6f6424faeebc9c3d42b1
Instruction Fuzzy Hash: 8C513635A00218DFCB05DF69C881A6DBBF5FF49314F188058E849AB362CB31ED51DB91

Function 008F8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 008F8F40
GetProcAddress.KERNEL32(00000000,?), ref: 008F8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 008F8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 008F9032
FreeLibrary.KERNEL32(00000000), ref: 008F9052

Part of subcall function 0088F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,008E1043,?,7644E610), ref: 0088F6E6
Part of subcall function 0088F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,008CFA64,00000000,00000000,?,?,008E1043,?,7644E610,?,008CFA64), ref: 0088F70D

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 235c122fe8f66449d9f02c8268e14755ed92f817702ba3532b7e2657fef7eb78
Instruction ID: 10f0f6e547b760762444d2b748d1fd8bcf643e7061abcfce9efa144f1a01f77b
Opcode Fuzzy Hash: 235c122fe8f66449d9f02c8268e14755ed92f817702ba3532b7e2657fef7eb78
Instruction Fuzzy Hash: 96512734604209DFC711DF68C4849A9BBF1FF49314B1981A8E94ADB362DB31ED85CB91

Function 00906B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00906C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00906C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00906C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,008EAB79,00000000,00000000), ref: 00906C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00906CC7

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 85bb9a3234975e6bae7ae0e0840abf10855f9e62373556e11b20b5a74a64bea9
Instruction ID: bb0cd213ba70dff8aecd85dced12c5b6d0d7a7ad03f08b27e59a413b2c5ea24e
Opcode Fuzzy Hash: 85bb9a3234975e6bae7ae0e0840abf10855f9e62373556e11b20b5a74a64bea9
Instruction Fuzzy Hash: 1C41EA75A08124AFE724CF28CC54FA57BA9EB09350F140628FAD5A72E0C771ED61DA40

Function 008A2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008A20C3
_free.LIBCMT ref: 008A20E3

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 8ec7992a71a00c7a2cbafb8e5c1bf2d516a96ecd3a1963d71fc32a6a16692617
Instruction ID: cf09f86f73eefea4bf2bea4b73b7129aa0f4ad022bade37a73ae81f85eb3e26c
Opcode Fuzzy Hash: 8ec7992a71a00c7a2cbafb8e5c1bf2d516a96ecd3a1963d71fc32a6a16692617
Instruction Fuzzy Hash: 6E41E172A006049FEB34DF7CC880A5EB7E5FF8A314F1545A9E615EB792DA31AD01CB81

Function 0088912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00889141
ScreenToClient.USER32(00000000,?), ref: 0088915E
GetAsyncKeyState.USER32(00000001), ref: 00889183
GetAsyncKeyState.USER32(00000002), ref: 0088919D

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 111f5f53c41c1cee86ec63b7d68921e9d61416e58c8c935f3808e8893145b8d0
Instruction ID: 1476733cf0542977a3373856d206070dd4724b0c09750d9fa35e5d5201777809
Opcode Fuzzy Hash: 111f5f53c41c1cee86ec63b7d68921e9d61416e58c8c935f3808e8893145b8d0
Instruction Fuzzy Hash: C5417C75A0C61AAEDB05AF68C848BFEB774FB05324F24821AE465E22D0C734A950CF91

Function 008E3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 008E38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 008E3922
TranslateMessage.USER32(?), ref: 008E394B
DispatchMessageW.USER32(?), ref: 008E3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008E3966

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 7e50da076a3b7bd4cee21ea8c390ed51528751f846f663b56b05fbc5bd10efa6
Instruction ID: 9883b3077d6cf23687c60b823ec178b5c44db80425fe942e751e4b953c46805e
Opcode Fuzzy Hash: 7e50da076a3b7bd4cee21ea8c390ed51528751f846f663b56b05fbc5bd10efa6
Instruction Fuzzy Hash: F131A6745183C5AEEB35DB36984DFB63BA8FB07304F040569E462D31A1E3B49E85DB21

Function 008ECF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,008EC21E,00000000), ref: 008ECF38
InternetReadFile.WININET(?,00000000,?,?), ref: 008ECF6F
GetLastError.KERNEL32(?,00000000,?,?,?,008EC21E,00000000), ref: 008ECFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,008EC21E,00000000), ref: 008ECFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,008EC21E,00000000), ref: 008ECFF2

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: faa397622a53caf02df4a6db14488ded1c0cfb8d89c7524debb4b67f3a279f2a
Instruction ID: ebfc5a4f19eaafbb3551668ef5cf6284c4a4f198ae71d2514591f515ed0d9a1a
Opcode Fuzzy Hash: faa397622a53caf02df4a6db14488ded1c0cfb8d89c7524debb4b67f3a279f2a
Instruction Fuzzy Hash: EE315EB1A04245EFDB20DFAAC884AABBBF9FF15355B10442EF516D2141DB70EE42DB60

Function 008D1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 008D1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 008D19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 008D19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 008D19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 008D19E2

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 3ddbd794432df34f4908154e35f7ba2d62134b46cc92787955a86fc94afefce3
Instruction ID: 79f7ab784eae34c7a9fa6dde2b51c8fc618414ab940ef374e31fd1a2563662a8
Opcode Fuzzy Hash: 3ddbd794432df34f4908154e35f7ba2d62134b46cc92787955a86fc94afefce3
Instruction Fuzzy Hash: D5318AB1A14219BFCB10CFA8C9A9A9E3BB5FF04315F10432AF921E72D1C7709944DB90

Function 00905706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00905745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0090579D
_wcslen.LIBCMT ref: 009057AF
_wcslen.LIBCMT ref: 009057BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00905816

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: e242e26f35e28ee6b04c024b77f40fcc410c9670d30ee8e5240e31de8e6b397f
Instruction ID: 459610de93d8cfd4e53290bd39a7af7e6d481b7727fc5c2ccb59429db21974bc
Opcode Fuzzy Hash: e242e26f35e28ee6b04c024b77f40fcc410c9670d30ee8e5240e31de8e6b397f
Instruction Fuzzy Hash: 64219E75904618AEDB209FA5CC84EEEBBBCFF44324F108616F929EA1D4E7708985CF50

Function 008F0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 008F0951
GetForegroundWindow.USER32 ref: 008F0968
GetDC.USER32(00000000), ref: 008F09A4
GetPixel.GDI32(00000000,?,00000003), ref: 008F09B0
ReleaseDC.USER32(00000000,00000003), ref: 008F09E8

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 25dd647d2d3aa36bffe2eb5a0f51935165362ed6acb066316f7e38cb1202e2fb
Instruction ID: 4d5b08a30e45179dff37b61aadc47238b7aae048fe8d60ff1f95e5bf9d2b1385
Opcode Fuzzy Hash: 25dd647d2d3aa36bffe2eb5a0f51935165362ed6acb066316f7e38cb1202e2fb
Instruction Fuzzy Hash: 4F218175A00208AFD714EF69C889AAEBBE5FF49704F048168F94AD7362DB70EC44DB50

Function 008ACDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 008ACDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008ACDE9

Part of subcall function 008A3820: RtlAllocateHeap.NTDLL(00000000,?,00941444,?,0088FDF5,?,?,0087A976,00000010,00941440,008713FC,?,008713C6,?,00871129), ref: 008A3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 008ACE0F
_free.LIBCMT ref: 008ACE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 008ACE31

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 8716db9b7e21c68a0d08699553f832228ea11b0bef67871367eb4894902f1888
Instruction ID: 0255ef0dc86a388962a1b4ac9ba021275e36562169e253e45580fff654d33d1e
Opcode Fuzzy Hash: 8716db9b7e21c68a0d08699553f832228ea11b0bef67871367eb4894902f1888
Instruction Fuzzy Hash: D00124B26052147F772117BAAC88C3B6A6CFEC3BA13140229F900D3600EB208D2191F0

Function 0088990C Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008898CC
SetTextColor.GDI32(?,?), ref: 008898D6
SetBkMode.GDI32(?,00000001), ref: 008898E9
GetStockObject.GDI32(00000005), ref: 008898F1
GetWindowLongW.USER32(?,000000EB), ref: 00889952

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 200f8c64b27b5e8408f87608d214e259fd79ae5f7b9072b85c2a7ce663b8590f
Instruction ID: d555a8fe59963c6571343abee1954e283cb2aed9425abfd8bebcfd37e6fcff3f
Opcode Fuzzy Hash: 200f8c64b27b5e8408f87608d214e259fd79ae5f7b9072b85c2a7ce663b8590f
Instruction Fuzzy Hash: C221B07114D290AFC7229F38EC98AB93F60FF17325B1D429EE9D2CA1A2C7314952DB51

Function 00889639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00889693
SelectObject.GDI32(?,00000000), ref: 008896A2
BeginPath.GDI32(?), ref: 008896B9
SelectObject.GDI32(?,00000000), ref: 008896E2

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 1b894c98924cb06b42c7dae69b35309f7adfef2891a95ab2f8d32a10031979e7
Instruction ID: 548db88f6831c12bca24c3418ab7793c72e07d3178e885be3ba6265a996a2753
Opcode Fuzzy Hash: 1b894c98924cb06b42c7dae69b35309f7adfef2891a95ab2f8d32a10031979e7
Instruction Fuzzy Hash: 1E217F7482A305EFDB11EF68EC04BB93BB8FB21355F140216F460E61A0E3709891EF90

Function 008D5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 008D5726
_memcmp.LIBVCRUNTIME ref: 008D5744
_memcmp.LIBVCRUNTIME ref: 008D5757
_memcmp.LIBVCRUNTIME ref: 008D576F
_memcmp.LIBVCRUNTIME ref: 008D5787

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e1d7251218188ad173b3462e5b68f625ed73bd8f5f740a61358c9333e7176d50
Instruction ID: 5423454f2a780b6e9db616bb0f66c71a06b5d4d47a49da49da492e3df13c9aa7
Opcode Fuzzy Hash: e1d7251218188ad173b3462e5b68f625ed73bd8f5f740a61358c9333e7176d50
Instruction Fuzzy Hash: C001D26124560AFEEA1861149D86EBA735CFF613A8F244123FD08DA781F720EE1086A1

Function 008A2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0089F2DE,008A3863,00941444,?,0088FDF5,?,?,0087A976,00000010,00941440,008713FC,?,008713C6), ref: 008A2DFD
_free.LIBCMT ref: 008A2E32
_free.LIBCMT ref: 008A2E59
SetLastError.KERNEL32(00000000,00871129), ref: 008A2E66
SetLastError.KERNEL32(00000000,00871129), ref: 008A2E6F

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 65099505fba557a61e3ebfc41d22c8e8c740776d9d6ab8dd7f400b73008c49b0
Instruction ID: 53772ce43cc9aa33165ad1b7480140e714f75313530b0ab92d62b1eb2578f302
Opcode Fuzzy Hash: 65099505fba557a61e3ebfc41d22c8e8c740776d9d6ab8dd7f400b73008c49b0
Instruction Fuzzy Hash: 2F012872219A006BF632677D6C46E2B265DFBD37B5B240128F425E29D3FF74CCA16122

Function 008D000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,008CFF41,80070057,?,?,?,008D035E), ref: 008D002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008CFF41,80070057,?,?), ref: 008D0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008CFF41,80070057,?,?), ref: 008D0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008CFF41,80070057,?), ref: 008D0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008CFF41,80070057,?,?), ref: 008D0070

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: c1a95507f1d1fcd2def7471d36cfd884d4ca59bedec365c4d075e1967a283ba3
Instruction ID: 99fd0c6d8ee53222562b671b80ba1c8aacd5fbefc298152598c5be7fe9f1cdb1
Opcode Fuzzy Hash: c1a95507f1d1fcd2def7471d36cfd884d4ca59bedec365c4d075e1967a283ba3
Instruction Fuzzy Hash: B2018BB2610604BFDB108F68DC04BAA7BADFF84792F148225FD05D2210E771DD40ABA0

Function 008DE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 008DE997
QueryPerformanceFrequency.KERNEL32(?), ref: 008DE9A5
Sleep.KERNEL32(00000000), ref: 008DE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 008DE9B7
Sleep.KERNEL32 ref: 008DE9F3

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: ed175625cce60bf06951fb96bd75bd327e6351062ccb2b28e0f72fe87fe707a1
Instruction ID: b26d718c23f27de324b8a19d599d0dd54aac04530d1aecbcf542de04afaac7da
Opcode Fuzzy Hash: ed175625cce60bf06951fb96bd75bd327e6351062ccb2b28e0f72fe87fe707a1
Instruction Fuzzy Hash: 8C015771C0A62DEBCF40ABE5D869AEDBB78FB08310F000656E502F6240CB3095519BA1

Function 008D10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008D1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,008D0B9B,?,?,?), ref: 008D1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,008D0B9B,?,?,?), ref: 008D112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,008D0B9B,?,?,?), ref: 008D1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008D114D

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 33926488fa95004251c009acd4a44f598a246a1c5fad631dc2fe65c9684b3028
Instruction ID: 3e87a38136acbb2d1d975af4c7f0f90bdd6064a4dc7a67cc4aab146536611c24
Opcode Fuzzy Hash: 33926488fa95004251c009acd4a44f598a246a1c5fad631dc2fe65c9684b3028
Instruction Fuzzy Hash: 470119B5214205BFEF114FA5DC4DA6A3B7EFF893A0B204619FA45D7360DA31DC40AA60

Function 008D0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008D0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008D0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008D0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008D0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008D1002

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 4637dc3e0d06ee1abe08063c0300b731189ea6c45fcbde5cb03be8c72bd20ff2
Instruction ID: 0ece57ff2ea78184224a6a54a1fe5f5c33de57db2963b763cf0cc978aaa31af2
Opcode Fuzzy Hash: 4637dc3e0d06ee1abe08063c0300b731189ea6c45fcbde5cb03be8c72bd20ff2
Instruction Fuzzy Hash: E2F049B5214701BFDB215FA4AC4DF563BADFF89B62F104615FA45C6291CA70DC809A60

Function 008D1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 008D102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 008D1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008D1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 008D104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008D1062

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: dcc10477520287629807fababaa7671c3373a83efe771dc23d5a65f690013749
Instruction ID: b4a78b7fb19eee4dc93d34897fb120d57cbca1f84ce8f533f315ca4379d80006
Opcode Fuzzy Hash: dcc10477520287629807fababaa7671c3373a83efe771dc23d5a65f690013749
Instruction Fuzzy Hash: AEF049B5214701BFDB216FA4EC4DF563BADFF89761F100615FA45C6250CA70DC809A60

Function 008E030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,008E017D,?,008E32FC,?,00000001,008B2592,?), ref: 008E0324
CloseHandle.KERNEL32(?,?,?,?,008E017D,?,008E32FC,?,00000001,008B2592,?), ref: 008E0331
CloseHandle.KERNEL32(?,?,?,?,008E017D,?,008E32FC,?,00000001,008B2592,?), ref: 008E033E
CloseHandle.KERNEL32(?,?,?,?,008E017D,?,008E32FC,?,00000001,008B2592,?), ref: 008E034B
CloseHandle.KERNEL32(?,?,?,?,008E017D,?,008E32FC,?,00000001,008B2592,?), ref: 008E0358
CloseHandle.KERNEL32(?,?,?,?,008E017D,?,008E32FC,?,00000001,008B2592,?), ref: 008E0365

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d0eb639eacc3b6e9cc6ccd7a4b0853ed4775a3e0329c436eb195d5a2b1024aef
Instruction ID: 16ce761f81f21aab641b98e12ed4b289200f856ffed21d7ee9d2df926319edcb
Opcode Fuzzy Hash: d0eb639eacc3b6e9cc6ccd7a4b0853ed4775a3e0329c436eb195d5a2b1024aef
Instruction Fuzzy Hash: 09019072800B559FC7309F66D880412F7F5FE512153158E3ED19692A31C3B1A994DE80

Function 008AD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008AD752

Part of subcall function 008A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008AD7D1,00000000,00000000,00000000,00000000,?,008AD7F8,00000000,00000007,00000000,?,008ADBF5,00000000), ref: 008A29DE
Part of subcall function 008A29C8: GetLastError.KERNEL32(00000000,?,008AD7D1,00000000,00000000,00000000,00000000,?,008AD7F8,00000000,00000007,00000000,?,008ADBF5,00000000,00000000), ref: 008A29F0

_free.LIBCMT ref: 008AD764
_free.LIBCMT ref: 008AD776
_free.LIBCMT ref: 008AD788
_free.LIBCMT ref: 008AD79A

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bbb71f1ef3fae7c95b4bb6aaacc0d3f623f9aae805be8d4910204aed1f482beb
Instruction ID: 29b8e591837fc92ab23b5b6e7c8898d807278fabd2598c162f634d21f3bc8fb9
Opcode Fuzzy Hash: bbb71f1ef3fae7c95b4bb6aaacc0d3f623f9aae805be8d4910204aed1f482beb
Instruction Fuzzy Hash: 49F04F72518708AFA669EB6CF9C1D1B7BDDFB06710B990805F149E7D11C720FC808B62

Function 008D5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 008D5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 008D5C6F
MessageBeep.USER32(00000000), ref: 008D5C87
KillTimer.USER32(?,0000040A), ref: 008D5CA3
EndDialog.USER32(?,00000001), ref: 008D5CBD

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 6147f316e4640e8dd8041c33e7d1083fb64e4e9f3256d3a6c1f4bfa1bb002b3d
Instruction ID: e8e27ea2508403fb64bc14a4382d928c1889a5c5e39c450435a45ce0f1898225
Opcode Fuzzy Hash: 6147f316e4640e8dd8041c33e7d1083fb64e4e9f3256d3a6c1f4bfa1bb002b3d
Instruction Fuzzy Hash: B6018170524B04AFEB306B10DD4EFA67BB8FB00B45F04075BA583E11E1DBF5A9849A91

Function 008A22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008A22BE

Part of subcall function 008A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008AD7D1,00000000,00000000,00000000,00000000,?,008AD7F8,00000000,00000007,00000000,?,008ADBF5,00000000), ref: 008A29DE
Part of subcall function 008A29C8: GetLastError.KERNEL32(00000000,?,008AD7D1,00000000,00000000,00000000,00000000,?,008AD7F8,00000000,00000007,00000000,?,008ADBF5,00000000,00000000), ref: 008A29F0

_free.LIBCMT ref: 008A22D0
_free.LIBCMT ref: 008A22E3
_free.LIBCMT ref: 008A22F4
_free.LIBCMT ref: 008A2305

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8748bfb170ae12da3549d6981c169ec72f014776698e763127a4133df8b9d8e4
Instruction ID: 45c6849e1f9c920b2e8f942aca01fbc9015f066e8098b90e0c21cd50f313cac9
Opcode Fuzzy Hash: 8748bfb170ae12da3549d6981c169ec72f014776698e763127a4133df8b9d8e4
Instruction Fuzzy Hash: 26F054B84286108FD772AF6CBC01D093F64F71BB517040556F610D2671C7310551BFE6

Function 008895C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 008895D4
StrokeAndFillPath.GDI32(?,?,008C71F7,00000000,?,?,?), ref: 008895F0
SelectObject.GDI32(?,00000000), ref: 00889603
DeleteObject.GDI32 ref: 00889616
StrokePath.GDI32(?), ref: 00889631

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 07d8fdb11e2aba111155c020953b51a4c6cc4c45845a747c9546bf939f0edc50
Instruction ID: 942931857c41d023026139f55790a5ea7cfc85e47b9f4d7282ba73e9d01d930e
Opcode Fuzzy Hash: 07d8fdb11e2aba111155c020953b51a4c6cc4c45845a747c9546bf939f0edc50
Instruction Fuzzy Hash: F9F0C97902E208EFDB16AF65ED58B643B65FB12366F088314F469950F0D7308995EF60

Function 008A0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 008A10F9
__freea.LIBCMT ref: 008A1117

Part of subcall function 008A1537: _free.LIBCMT ref: 008A154F

Strings

a/p, xrefs: 008A11DE
am/pm, xrefs: 008A117A

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 716e4bbe41ef2865cba15248b81c9d026569866f6c2a80f0d424cc35d75f1b04
Instruction ID: d7c2dbf397058b9a22b66ab26323e1429df296b14f404f23b51a91c3c1b29212
Opcode Fuzzy Hash: 716e4bbe41ef2865cba15248b81c9d026569866f6c2a80f0d424cc35d75f1b04
Instruction Fuzzy Hash: E5D1DF3190020A9AEF289F68C85DBBAB7B5FF07714F284159E901EBF50D3799D80CB91

Function 008F7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00890242: EnterCriticalSection.KERNEL32(0094070C,00941884,?,?,0088198B,00942518,?,?,?,008712F9,00000000), ref: 0089024D
Part of subcall function 00890242: LeaveCriticalSection.KERNEL32(0094070C,?,0088198B,00942518,?,?,?,008712F9,00000000), ref: 0089028A

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

Part of subcall function 008900A3: __onexit.LIBCMT ref: 008900A9

__Init_thread_footer.LIBCMT ref: 008F7BFB

Part of subcall function 008901F8: EnterCriticalSection.KERNEL32(0094070C,?,?,00888747,00942514), ref: 00890202
Part of subcall function 008901F8: LeaveCriticalSection.KERNEL32(0094070C,?,00888747,00942514), ref: 00890235

Strings

G, xrefs: 008F7C7F
Variable must be of type 'Object'., xrefs: 008F7C3A
5, xrefs: 008F7C78

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 95bdbf4d06280b2dac748e850b0f893881ea27f216bfa4970cca003bd429afa0
Instruction ID: 3c0e246dee8ed31fa60fcc094fed9eac5f043213f497941a2062563a5798f5cb
Opcode Fuzzy Hash: 95bdbf4d06280b2dac748e850b0f893881ea27f216bfa4970cca003bd429afa0
Instruction Fuzzy Hash: 45916970A04209AFDB14EF68D891DBDB7B1FF49304F508059FA06DB296DB71AE41CB51

Function 008D2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008DB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008D21D0,?,?,00000034,00000800,?,00000034), ref: 008DB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 008D2760

Part of subcall function 008DB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008D21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 008DB3F8

Part of subcall function 008DB32A: GetWindowThreadProcessId.USER32(?,?), ref: 008DB355
Part of subcall function 008DB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,008D2194,00000034,?,?,00001004,00000000,00000000), ref: 008DB365
Part of subcall function 008DB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,008D2194,00000034,?,?,00001004,00000000,00000000), ref: 008DB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008D27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008D281A

Strings

@, xrefs: 008D2832

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 364d2a0b6f7822ac02564c349e9678901613bcdb2954a500db66e99be88cc69f
Instruction ID: 5c3694e0c6c06754311cafe68f28d538ee5969846a3781d56851ed36077217c0
Opcode Fuzzy Hash: 364d2a0b6f7822ac02564c349e9678901613bcdb2954a500db66e99be88cc69f
Instruction Fuzzy Hash: 8E413C72900218AFDB10DBA8CD45EEEBBB8FF19300F004196FA55B7281DB716E45DBA1

Function 008A172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 008A1769
_free.LIBCMT ref: 008A1834
_free.LIBCMT ref: 008A183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 008A1760, 008A1767, 008A1796, 008A17CE

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-3695852857
Opcode ID: 2e1627b1ac9bd971410a9d8cbe36a9c0fb0825e6cfc786a3b3f4c76b02acb878
Instruction ID: 77b94ff51ca9ab8481dcb357d4a7bff6e02beaee8f88cc2de39b4c14dfe80af5
Opcode Fuzzy Hash: 2e1627b1ac9bd971410a9d8cbe36a9c0fb0825e6cfc786a3b3f4c76b02acb878
Instruction Fuzzy Hash: F8318D75A04218AFEF21DB999889D9EBBFCFB86310F144166F904D7611D6B08E80DB91

Function 008DC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 008DC306
DeleteMenu.USER32(?,00000007,00000000), ref: 008DC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00941990,01305988), ref: 008DC395

Strings

0, xrefs: 008DC2DF

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 99d77a08d15807ba260edadd5672e7efb2e654376e5850a13064fd3b5e0a3bc6
Instruction ID: 0b9f47f8b5abf4ed5459895beca52084bad889ce89e30f0a8277126f65100ebd
Opcode Fuzzy Hash: 99d77a08d15807ba260edadd5672e7efb2e654376e5850a13064fd3b5e0a3bc6
Instruction Fuzzy Hash: 5B416C712083429FDB28DF29D884B5ABBA4FB85324F14871EF9A5D73D1D770A904CB62

Function 00904416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0090CC08,00000000,?,?,?,?), ref: 009044AA
GetWindowLongW.USER32 ref: 009044C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009044D7

Strings

SysTreeView32, xrefs: 0090447C

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 00b8d1ab016c203feb875c5c53acf85924496a1c5aa7bee7b747e48e277d487e
Instruction ID: 761cce1fb724c2fd15ddf553d56e2a2abbf46b089aaeef1188967239a647bc3e
Opcode Fuzzy Hash: 00b8d1ab016c203feb875c5c53acf85924496a1c5aa7bee7b747e48e277d487e
Instruction Fuzzy Hash: B8318DB1214605AFDB209F38DC45BEA77A9EB49334F204715FA79D21E1D770EC509B50

Function 008F304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008F335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,008F3077,?,?), ref: 008F3378

inet_addr.WSOCK32(?), ref: 008F307A
_wcslen.LIBCMT ref: 008F309B
htons.WSOCK32(00000000), ref: 008F3106

Strings

255.255.255.255, xrefs: 008F3095, 008F309A

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: d7fe06ce0bff6245fd584995037be351edf1a5042181c093c979d2f76bd2f9d3
Instruction ID: 3f8ff4216496782ad5b8886329ac2d4696cb47fed0f5521c1c983e8f3a06bc7c
Opcode Fuzzy Hash: d7fe06ce0bff6245fd584995037be351edf1a5042181c093c979d2f76bd2f9d3
Instruction Fuzzy Hash: 0A31AE356042099FCB20DF38C485ABA77A4FF54318F24805AEA15CB392DB72EE85CB61

Function 00903EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00903F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00903F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00903F78

Strings

SysMonthCal32, xrefs: 00903F0B

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 581daf96359bd628f22c9e7c4bbc7c159f56e5478c7ffd80b49589685f65a3e1
Instruction ID: 1c155a1ed5a5f26c0ba1fdabf94b0e2beca12757a734b332aa52a7f323ca3f55
Opcode Fuzzy Hash: 581daf96359bd628f22c9e7c4bbc7c159f56e5478c7ffd80b49589685f65a3e1
Instruction Fuzzy Hash: 6C21D13261021ABFEF218F54CC46FEA3B79EF48714F114214FA15AB1D0DAB1AC90DB90

Function 00904653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00904705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00904713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0090471A

Strings

msctls_updown32, xrefs: 00904684

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 41bd48414ee16630d42fcaf263402e1478b5382364199b01eb1898af90546fd8
Instruction ID: ce12dec462890360322d5572218e2b6808ed37e161fb3f4a6b2b838f7a8f7352
Opcode Fuzzy Hash: 41bd48414ee16630d42fcaf263402e1478b5382364199b01eb1898af90546fd8
Instruction Fuzzy Hash: 0A2160F5604209AFDB10DF68DCD1DA737ADEF9A3A4B040459FA00DB2A1DB71EC51DA60

Function 008D95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008D961D

Strings

#requireadmin, xrefs: 008D95D9
#OnAutoItStartRegister, xrefs: 008D95F3
#notrayicon, xrefs: 008D95B7

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 70dd1b9b3caac6ace7fb6e77646daa2e0875c200cedbb957f4dffd32785c42c2
Instruction ID: c15d3ce391d14654d1bb4522892fb3f0a4cbfa91bde0d76434f9307f7a63f203
Opcode Fuzzy Hash: 70dd1b9b3caac6ace7fb6e77646daa2e0875c200cedbb957f4dffd32785c42c2
Instruction Fuzzy Hash: 83213832204111A6C731BA28AC12FBB73A8FFA1314F144137F98AD7285EB55ED91C396

Function 009037B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00903840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00903850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00903876

Strings

Listbox, xrefs: 0090380F

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 11b4f10e3a97e2f3317a8af59969f9c574073b8413e909ee67819f04d0e2221d
Instruction ID: 73b154e726430067aed2c781e07f284a28499665f1844937a2add8eab783211b
Opcode Fuzzy Hash: 11b4f10e3a97e2f3317a8af59969f9c574073b8413e909ee67819f04d0e2221d
Instruction Fuzzy Hash: F6217C72614218AFEB218F64CC85EAB376EEF89754F10C124F9449B190CA71DC528BA0

Function 008E49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008E4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 008E4A5C
SetErrorMode.KERNEL32(00000000,?,?,0090CC08), ref: 008E4AD0

Strings

%lu, xrefs: 008E4A6F

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 73679fbd4375c22d6a9f26797184b006dae90439effe137f7c543c787d5a5ca3
Instruction ID: 1bd2a66d91f8889eb67517c0d776b707e1d11dadb606fe7abb376922612b2333
Opcode Fuzzy Hash: 73679fbd4375c22d6a9f26797184b006dae90439effe137f7c543c787d5a5ca3
Instruction Fuzzy Hash: 7F315E71A00118AFDB10DF58C885EAA7BF8FF49318F1480A5E909DB252D771ED45CB62

Function 009041EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0090424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00904264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00904271

Strings

msctls_trackbar32, xrefs: 00904226

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 15bba39933df04a678caea8925ae7c7ad0d2d3bf47dbf6caf216befad93a79d1
Instruction ID: fa82bfd88afc50a192e8411306095604a7b255bf9070fa88896e29da57b1945d
Opcode Fuzzy Hash: 15bba39933df04a678caea8925ae7c7ad0d2d3bf47dbf6caf216befad93a79d1
Instruction Fuzzy Hash: D0110671344208BEEF205F68CC06FAB3BACEF95B54F010514FA55E20E0D671DC619B10

Function 008D2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00876B57: _wcslen.LIBCMT ref: 00876B6A

Part of subcall function 008D2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 008D2DC5
Part of subcall function 008D2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 008D2DD6
Part of subcall function 008D2DA7: GetCurrentThreadId.KERNEL32 ref: 008D2DDD
Part of subcall function 008D2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 008D2DE4

GetFocus.USER32 ref: 008D2F78

Part of subcall function 008D2DEE: GetParent.USER32(00000000), ref: 008D2DF9

GetClassNameW.USER32(?,?,00000100), ref: 008D2FC3
EnumChildWindows.USER32(?,008D303B), ref: 008D2FEB

Strings

%s%d, xrefs: 008D2FFF

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 1f952a23189ff1612106c92128c88bdf60bd77340eed8196a8733512043f7ac8
Instruction ID: c804257285ef4bef0caba932f8fa9ecedb38ccbf8d71ceb9580704082e248080
Opcode Fuzzy Hash: 1f952a23189ff1612106c92128c88bdf60bd77340eed8196a8733512043f7ac8
Instruction Fuzzy Hash: D711E7712002096BCF10BF748C85EED376AFF94318F048176F909EB292DE319E498B62

Function 00905882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009058C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009058EE
DrawMenuBar.USER32(?), ref: 009058FD

Strings

0, xrefs: 0090588F

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 34491f9cffa57484181b424fd7fd4b286baf2b45395a93e2f2861479daec0a38
Instruction ID: 9d8ed282755de70090512742372b13b70bef5d4d83b95ae9c563d368eece90be
Opcode Fuzzy Hash: 34491f9cffa57484181b424fd7fd4b286baf2b45395a93e2f2861479daec0a38
Instruction Fuzzy Hash: 7B01CC31504208EFDB209F11DC44BAFBBB8FF45361F0080A9F848DA1A2DB308A90EF21

Function 008CD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 008CD3BF
FreeLibrary.KERNEL32 ref: 008CD3E5

Strings

X64, xrefs: 008CD2A8
GetSystemWow64DirectoryW, xrefs: 008CD3B9

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 1961aaee31d9906b322a2afa2fa3d76ad20080c52da4b1603702d53388dca6bf
Instruction ID: 0f6c8be8bfbf9c1e49a4f72c2d940db314efa9adf48d80f1f80f948f9cf7c62b
Opcode Fuzzy Hash: 1961aaee31d9906b322a2afa2fa3d76ad20080c52da4b1603702d53388dca6bf
Instruction Fuzzy Hash: 31F020B280AB258AC37133204C28F6A73B0FF10705F64823CE402E1284E730CC408682

Function 008D007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f623563c765145a8fed0678f93fcd52fe093a7fc500ff33fffa241233699583
Instruction ID: 8e48b980c4928fefa4e012882dbe60b82843236cefd951b64739797f2e2d66ff
Opcode Fuzzy Hash: 4f623563c765145a8fed0678f93fcd52fe093a7fc500ff33fffa241233699583
Instruction Fuzzy Hash: 78C13875A0020AAFDB14DFA8C894BAEB7B5FF48704F208699E505EB351D731EE41CB90

Function 008A3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 008A3F0B
__alldvrm.LIBCMT ref: 008A410C
__alldvrm.LIBCMT ref: 008A412E

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 1890be23fda00b4ada303aa0a5f11a80cf7bffa21a93f634c88fb73c09f78a28
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 40A14571E107869FFF21CE18C8917AABBE4FFA3350F18416DE585DB682C6B88981C751

Function 008F342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 008F3459
CoUninitialize.OLE32 ref: 008F3463
VariantInit.OLEAUT32(?), ref: 008F346E
VariantClear.OLEAUT32(?), ref: 008F371B

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 57df76ebfcfde1295f3deb509bf3246eaca71498fc84745bea3de06e91dd4583
Instruction ID: 3a10f7460faebc6e661040194f18b7e4be64b11a012fc40fe0e91d6d93579491
Opcode Fuzzy Hash: 57df76ebfcfde1295f3deb509bf3246eaca71498fc84745bea3de06e91dd4583
Instruction Fuzzy Hash: 88A13B756042049FCB10EF28C485A2AB7E5FF89714F148959FA8ADB366DB30EE41CB52

Function 008D0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0090FC08,?), ref: 008D05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0090FC08,?), ref: 008D0608
CLSIDFromProgID.OLE32(?,?,00000000,0090CC40,000000FF,?,00000000,00000800,00000000,?,0090FC08,?), ref: 008D062D
_memcmp.LIBVCRUNTIME ref: 008D064E

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 51c39fc31eb5f48139132150a68feb1f41030bc8af52e41a7aea334faec4dc2c
Instruction ID: 583ff575123f2082f131e7d7debae0002f159b653a33a9a0d7dd824e27830e12
Opcode Fuzzy Hash: 51c39fc31eb5f48139132150a68feb1f41030bc8af52e41a7aea334faec4dc2c
Instruction Fuzzy Hash: 9681E671A00209AFCB04DF94C984EEEB7B9FF89315F204599E506EB250DB71AE06CF61

Function 008FA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 008FA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 008FA6BA

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

Process32NextW.KERNEL32(00000000,?), ref: 008FA79C
CloseHandle.KERNEL32(00000000), ref: 008FA7AB

Part of subcall function 0088CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,008B3303,?), ref: 0088CE8A

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 02214b4384f060eb9fbd4c709d03b1b7073476f81b3d12df3608b10c1ad8c379
Instruction ID: 03b318c2a0c3329e6d992863c85e0fb491820def8feec44acd78b58722de2ac9
Opcode Fuzzy Hash: 02214b4384f060eb9fbd4c709d03b1b7073476f81b3d12df3608b10c1ad8c379
Instruction Fuzzy Hash: D3510AB15083049FD714EF28C886A6BBBE8FF89754F00892DF599D7252EB70D905CB92

Function 008B1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008B14C0

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a84c51e50787331ff817f8a599affabf659d5184118caffc1ec85cdf1453a7ba
Instruction ID: f17e041e64c7fb571aafce698403f59beb269cfed157c641b88232b3a64612c3
Opcode Fuzzy Hash: a84c51e50787331ff817f8a599affabf659d5184118caffc1ec85cdf1453a7ba
Instruction Fuzzy Hash: F6417B31600105ABEF257BFC8C5ABEE3AA6FF46370F684225F518DA392EA7448415267

Function 00906278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 009062E2
ScreenToClient.USER32(?,?), ref: 00906315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00906382

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 9b82a3ff2c1492956d4207723f873ef544b50103114fd9cadf99ba13b1a458b6
Instruction ID: e8864f3d0f237c0b2329ec3956aedd953d44028613446e118fcb700446cdd489
Opcode Fuzzy Hash: 9b82a3ff2c1492956d4207723f873ef544b50103114fd9cadf99ba13b1a458b6
Instruction Fuzzy Hash: 3D510B74900209EFDB24DF58D881AAE7BB9FB45360F108269F865972E0D730ED91DB90

Function 008F1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 008F1AFD
WSAGetLastError.WSOCK32 ref: 008F1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 008F1B8A
WSAGetLastError.WSOCK32 ref: 008F1B94

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 3ea6b48d4937f6b84da0c0b08b40a72654d0e3a6e5bdec21d8ab9a0a78a4ccd0
Instruction ID: 0e0f3672e8ded3fd0d03d83a670e83154968420a634eaeccbcd9d7f94b369fef
Opcode Fuzzy Hash: 3ea6b48d4937f6b84da0c0b08b40a72654d0e3a6e5bdec21d8ab9a0a78a4ccd0
Instruction Fuzzy Hash: 2D416D74640204AFEB20AF28C88AF2977A5FB44718F54C558FA1ADF393E672DD418B91

Function 008AB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f92c3ceafb853ce0ef78a0c37a34fafe38c6f9e86a0876b011edc014d3c351
Instruction ID: b87084ac4ec94ec516bd0a6fe3ffd1b52844e21d299a5f1764365c5f610d55d7
Opcode Fuzzy Hash: 41f92c3ceafb853ce0ef78a0c37a34fafe38c6f9e86a0876b011edc014d3c351
Instruction Fuzzy Hash: 2B410671A00708AFE724AF7CCC41BAABBE9FB89710F10452EF541DBA83D771A9018781

Function 008E56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 008E5783
GetLastError.KERNEL32(?,00000000), ref: 008E57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008E57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 008E57FA

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 7bafdb0957d4873067c6c365beedba4686ebfc37e332f67365e67cd657486210
Instruction ID: 04c5226e7384647efaf0374b27550396e1b2eb71f105d20552537155f4a00b8e
Opcode Fuzzy Hash: 7bafdb0957d4873067c6c365beedba4686ebfc37e332f67365e67cd657486210
Instruction Fuzzy Hash: C1412F35600610DFCB11EF19C544A5EBBE2FF89724B19C498E85A9B366CB34FD40DB92

Function 008AD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00896D71,00000000,00000000,008982D9,?,008982D9,?,00000001,00896D71,8BE85006,00000001,008982D9,008982D9), ref: 008AD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008AD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 008AD9AB
__freea.LIBCMT ref: 008AD9B4

Part of subcall function 008A3820: RtlAllocateHeap.NTDLL(00000000,?,00941444,?,0088FDF5,?,?,0087A976,00000010,00941440,008713FC,?,008713C6,?,00871129), ref: 008A3852

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 09d2a4697e812292e343647b685bc465f5bb07474c5432f907bb8a0c546f560c
Instruction ID: 47471174428dc29b86c52982b2af7cc77ed1a3ced6c6a114955b53e5b4951430
Opcode Fuzzy Hash: 09d2a4697e812292e343647b685bc465f5bb07474c5432f907bb8a0c546f560c
Instruction Fuzzy Hash: AE31CE72A0020AAFEF249F68DC45EAF7BA5FB42310B090268FC05DA650EB35CD55CB90

Function 009052C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00905352
GetWindowLongW.USER32(?,000000F0), ref: 00905375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00905382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009053A8

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: bb66a15d1720703f10f415dff2f32116278e2865c35ad115b170733a0a82c379
Instruction ID: cbae690af0fed231b4abdc289ac9f4f8978b51f499c47fd1f8245ddede87144c
Opcode Fuzzy Hash: bb66a15d1720703f10f415dff2f32116278e2865c35ad115b170733a0a82c379
Instruction Fuzzy Hash: 3531C374A59A08EFEB349F14CC06FEA77A9EB053D0F594501FA10961E1C7B5AD80EF42

Function 008DAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 008DABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 008DAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 008DAC74
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 008DACC6

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 4df55491bf73654bfabe200acbdd5adcc4586bc28a356f816894ce05a4509fec
Instruction ID: c1cdd3c461fdf72476a6a072d48f7b1300be1dc0f5903259a87b11cb17ed3a79
Opcode Fuzzy Hash: 4df55491bf73654bfabe200acbdd5adcc4586bc28a356f816894ce05a4509fec
Instruction Fuzzy Hash: 4B31F470A64618AFEB398B65CC047FA7BA5FB89330F28431BE485D23D1C37589859753

Function 00907674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0090769A
GetWindowRect.USER32(?,?), ref: 00907710
PtInRect.USER32(?,?,00908B89), ref: 00907720
MessageBeep.USER32(00000000), ref: 0090778C

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 44245a22d44858712436497e100a37157727c52d9408648b9171c03439d70a24
Instruction ID: 5ee1b9ee9ed360ca0e6adca4065a7da338bdf7959ba23ebd7f9362a3a11e8362
Opcode Fuzzy Hash: 44245a22d44858712436497e100a37157727c52d9408648b9171c03439d70a24
Instruction Fuzzy Hash: F541AF39A09215DFCB15CF98D894EA9B7F5FB49360F1441A8E414DB2A1C371B981DF90

Function 009016DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 009016EB

Part of subcall function 008D3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 008D3A57
Part of subcall function 008D3A3D: GetCurrentThreadId.KERNEL32 ref: 008D3A5E
Part of subcall function 008D3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008D25B3), ref: 008D3A65

GetCaretPos.USER32(?), ref: 009016FF
ClientToScreen.USER32(00000000,?), ref: 0090174C
GetForegroundWindow.USER32 ref: 00901752

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: f9a41e9bb7ce712d31ba4d1f329d9a6bbe6d1ec782ad412a3a8963fac1b59ef2
Instruction ID: 2f3fa609528da9d90ed4c90e2b6e15956ec6b8e51081464197db623ed97bf047
Opcode Fuzzy Hash: f9a41e9bb7ce712d31ba4d1f329d9a6bbe6d1ec782ad412a3a8963fac1b59ef2
Instruction Fuzzy Hash: 04311D75D00549AFC704EFA9C881CAEBBF9FF49304B5480AAE415E7251EB31DE45CBA1

Function 008DDF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00877620: _wcslen.LIBCMT ref: 00877625

_wcslen.LIBCMT ref: 008DDFCB
_wcslen.LIBCMT ref: 008DDFE2
_wcslen.LIBCMT ref: 008DE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 008DE018

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 16d4fd13762eb6ef204cb7e0a2670eae733d6618c91c363185c61b0df0432880
Instruction ID: a8bedb1f33016e3073e896338824af60257f30c94ec004cb4c6227a0d0ee7f19
Opcode Fuzzy Hash: 16d4fd13762eb6ef204cb7e0a2670eae733d6618c91c363185c61b0df0432880
Instruction Fuzzy Hash: 9121BF71900618AFCB20EFA8D881BAEBBF8FF85750F144165E904FB345D6709E41CBA2

Function 00908FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00889BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00889BB2

GetCursorPos.USER32(?), ref: 00909001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,008C7711,?,?,?,?,?), ref: 00909016
GetCursorPos.USER32(?), ref: 0090905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,008C7711,?,?,?), ref: 00909094

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: ba21d8ba84eb99b686429348f5795afa02c17e91bf9be0c0c6e72891ef4ccc30
Instruction ID: 1ff2f7ca1b29c48791c0b32868c76bf2b85d619d326160caa591fd3911cbd444
Opcode Fuzzy Hash: ba21d8ba84eb99b686429348f5795afa02c17e91bf9be0c0c6e72891ef4ccc30
Instruction Fuzzy Hash: EA21A136611018EFDB258F94DC58EFB7BB9FF4A360F044155F945872A2C3319990EB60

Function 008DD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0090CB68), ref: 008DD2FB
GetLastError.KERNEL32 ref: 008DD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 008DD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0090CB68), ref: 008DD376

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 50b1869bede77c71e718fd531b38a10a7f450f678d3e084b17b8a5cc2dc65031
Instruction ID: 3ca9531f21be58113d7d9d217c50f51ffc4f58b317381860c9459ee0f654366c
Opcode Fuzzy Hash: 50b1869bede77c71e718fd531b38a10a7f450f678d3e084b17b8a5cc2dc65031
Instruction Fuzzy Hash: 78212C705093019FC714DF28C88186A77E4FE56768F508B1AF499C73A1E731D946DB93

Function 008D1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008D1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 008D102A
Part of subcall function 008D1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 008D1036
Part of subcall function 008D1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008D1045
Part of subcall function 008D1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 008D104C
Part of subcall function 008D1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008D1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008D15BE
_memcmp.LIBVCRUNTIME ref: 008D15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008D1617
HeapFree.KERNEL32(00000000), ref: 008D161E

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: dadfab4f8760eabbd4e40fa46fa827deb56121b2da6e7980f98d96d0ee483c32
Instruction ID: c46073d6ea24c0d20f045cd681c87d1637e08cc618f6be8c97b561c544ce8ada
Opcode Fuzzy Hash: dadfab4f8760eabbd4e40fa46fa827deb56121b2da6e7980f98d96d0ee483c32
Instruction Fuzzy Hash: FE215571E00109AFDF00DFA4D949BEEB7B8FF54344F08465AE441EB241E734AA45DBA0

Function 00902782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0090280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00902824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00902832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00902840

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 0e013583a9800f07fbd477a63d1cabe0a3cacae9e3c991bccab3c53c8367cd2e
Instruction ID: a00bd008258371af598e35c890d22e279528c226f5a404631c88c960721fd65d
Opcode Fuzzy Hash: 0e013583a9800f07fbd477a63d1cabe0a3cacae9e3c991bccab3c53c8367cd2e
Instruction Fuzzy Hash: 3421B635208511AFD7149B24CC49F6A7799EF86324F248258F816CB6D2CB75FC42C791

Function 008D78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 008D8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,008D790A,?,000000FF,?,008D8754,00000000,?,0000001C,?,?), ref: 008D8D8C
Part of subcall function 008D8D7D: lstrcpyW.KERNEL32(00000000,?,?,008D790A,?,000000FF,?,008D8754,00000000,?,0000001C,?,?,00000000), ref: 008D8DB2
Part of subcall function 008D8D7D: lstrcmpiW.KERNEL32(00000000,?,008D790A,?,000000FF,?,008D8754,00000000,?,0000001C,?,?), ref: 008D8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,008D8754,00000000,?,0000001C,?,?,00000000), ref: 008D7923
lstrcpyW.KERNEL32(00000000,?,?,008D8754,00000000,?,0000001C,?,?,00000000), ref: 008D7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,008D8754,00000000,?,0000001C,?,?,00000000), ref: 008D7984

Strings

cdecl, xrefs: 008D797B

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 523688717f979b1ea5176031bb6d615a626cf0e8de8726caa4d17caa062256f3
Instruction ID: 9581619fdfe90c8254fd379d2919248cbbb6916a2e446d4f83abfde21cf4350c
Opcode Fuzzy Hash: 523688717f979b1ea5176031bb6d615a626cf0e8de8726caa4d17caa062256f3
Instruction Fuzzy Hash: 9211E43A204201BFCB155F39C855D7A77A5FF85350B00412BF902CB3A4FB359811D761

Function 00907CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00907D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00907D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00907D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,008EB7AD,00000000), ref: 00907D6B

Part of subcall function 00889BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00889BB2

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 4c46ac3d7a9fb601efafd707d03e87d4170fcad3f09d6155fd44dfc5971bfcbe
Instruction ID: 2c19d35af1d550384f1b0a49e39142d45cce00656a9f34c43c29ed7b0d9a43c2
Opcode Fuzzy Hash: 4c46ac3d7a9fb601efafd707d03e87d4170fcad3f09d6155fd44dfc5971bfcbe
Instruction Fuzzy Hash: C511D235A19625AFCB109F68DC04E667BA9AF46370B154724F835C72F0E730E990DB50

Function 00905660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 009056BB
_wcslen.LIBCMT ref: 009056CD
_wcslen.LIBCMT ref: 009056D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00905816

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: ccb1396d955a644f3d19bc4150f4476720fc2ae8cd0a8cbf9f576820fd3235c3
Instruction ID: 20ec4ae7edbc48556b3d10ff18331620e77075390eb5241a7c91528856aad743
Opcode Fuzzy Hash: ccb1396d955a644f3d19bc4150f4476720fc2ae8cd0a8cbf9f576820fd3235c3
Instruction Fuzzy Hash: 5111DC75A00608AEDF209BA5CC85EEF7BACEF00360B504426F915D60D1EBB48A80CF60

Function 008A1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad3fe5303262c59f805cbdf68036aa9d0200c4d5be21202147726f72605b94fc
Instruction ID: f3232c7b47ac415434b9fd4d16a879ae35c0c81b4c0913355973f74fa4427eaa
Opcode Fuzzy Hash: ad3fe5303262c59f805cbdf68036aa9d0200c4d5be21202147726f72605b94fc
Instruction Fuzzy Hash: 93016DB260961A7EFA61267C6CC5F67661DFF837B8F340329F621E19D2DB708C005161

Function 008D1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 008D1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 008D1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 008D1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 008D1A8A

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5dcc9b6afedc5e3c71d9944bbcb4094abdfa7c092d005082138479a3438b8404
Instruction ID: 7361664f1844f80406830c98c3d4fcfabdb7f3302f94880595f0fa6ce5f221ff
Opcode Fuzzy Hash: 5dcc9b6afedc5e3c71d9944bbcb4094abdfa7c092d005082138479a3438b8404
Instruction Fuzzy Hash: 1211273A901229FFEF109BA4C985FADBB78FF08750F200192EA00B7290D7716E50DB94

Function 008DE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 008DE1FD
MessageBoxW.USER32(?,?,?,?), ref: 008DE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 008DE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 008DE24D

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 4f570dee2fd1cc2eaf606955d2a51511c6ef8a1ef13676eb7cde5c594e37ba4e
Instruction ID: 64172da56268488cd9f68dfe7456a13a9f84e239659fc2d628da29be89adb621
Opcode Fuzzy Hash: 4f570dee2fd1cc2eaf606955d2a51511c6ef8a1ef13676eb7cde5c594e37ba4e
Instruction Fuzzy Hash: 6A11DBB6928258BFC701AFA89C05E9F7FACEB45710F14435AF924E7391D670DD0497A0

Function 0089D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0089CFF9,00000000,00000004,00000000), ref: 0089D218
GetLastError.KERNEL32 ref: 0089D224
__dosmaperr.LIBCMT ref: 0089D22B
ResumeThread.KERNEL32(00000000), ref: 0089D249

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 393c269da10c409e4743244918a47c1945ab4d8d8968f3e8bf65f350bb444821
Instruction ID: ac22ae99696c1bf5b25a848f0e6a91d527c002a557dd1a132e630eb381e4ff3a
Opcode Fuzzy Hash: 393c269da10c409e4743244918a47c1945ab4d8d8968f3e8bf65f350bb444821
Instruction Fuzzy Hash: 96012272818308BBCF207BE9DC09BAA7A68FF81730F280319F924D21D0CB71D900D6A1

Function 00909EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00889BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00889BB2

GetClientRect.USER32(?,?), ref: 00909F31
GetCursorPos.USER32(?), ref: 00909F3B
ScreenToClient.USER32(?,?), ref: 00909F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00909F7A

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: f2a47b90e05e36bf45c6a40a4d7254d350a5ca736511f75e1f5a5267db48b3b4
Instruction ID: c8820e1692e5b85bf4db08d2a79a67eaaba3d1c530077fa038c734cb84e3eca1
Opcode Fuzzy Hash: f2a47b90e05e36bf45c6a40a4d7254d350a5ca736511f75e1f5a5267db48b3b4
Instruction Fuzzy Hash: A311337690421AAFDB10EFA8D8899EE77B8FB45711F000551FA01E3182D730BE81DBA1

Function 0087600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0087604C
GetStockObject.GDI32(00000011), ref: 00876060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0087606A

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 86173c418b12edabe188598d093c3452aae189a6b19083186f487dec6de478eb
Instruction ID: 5b62158fafb7d7112e778b7287309a9aee661e2e8aeba4e656690b383a5fd128
Opcode Fuzzy Hash: 86173c418b12edabe188598d093c3452aae189a6b19083186f487dec6de478eb
Instruction Fuzzy Hash: 971161B2505909BFEF124F94DC44EEA7B69FF19364F044215FA18A2164D732DC60EF90

Function 00893B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00893B56

Part of subcall function 00893AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00893AD2
Part of subcall function 00893AA3: ___AdjustPointer.LIBCMT ref: 00893AED

_UnwindNestedFrames.LIBCMT ref: 00893B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00893B7C
CallCatchBlock.LIBVCRUNTIME ref: 00893BA4

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: eae911b073ff1dcc07653fb5402e2fe1e762f26e5d4d4c4c30a5f2c9bfc27b8d
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 1D01ED32100149BBDF116E99CC46DEB7B69FF58764F084014FE48A6121C732D961DBA1

Function 008A3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,008713C6,00000000,00000000,?,008A301A,008713C6,00000000,00000000,00000000,?,008A328B,00000006,FlsSetValue), ref: 008A30A5
GetLastError.KERNEL32(?,008A301A,008713C6,00000000,00000000,00000000,?,008A328B,00000006,FlsSetValue,00912290,FlsSetValue,00000000,00000364,?,008A2E46), ref: 008A30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,008A301A,008713C6,00000000,00000000,00000000,?,008A328B,00000006,FlsSetValue,00912290,FlsSetValue,00000000), ref: 008A30BF

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: a8373b140d39659fddb42aaa11b1b355912052150475609daa6719843c8ccca2
Instruction ID: a5a65688000d52cffad99e6bceaee9422c469d7b3432f90e53e2694a7bc494d8
Opcode Fuzzy Hash: a8373b140d39659fddb42aaa11b1b355912052150475609daa6719843c8ccca2
Instruction Fuzzy Hash: 93012B72329A26AFEB314B799C449577B98FF47BA1B200720FA15E3580D721D901C6E0

Function 008D7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 008D747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 008D7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 008D74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 008D74CA

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: ab0217f9504994d9bc8c62e36b9f78e90be6986c87a6b4cd99986afdddde83cf
Instruction ID: 3824a992c35879cb461d4d43e2c526bd8ee11435fea9c1d952bf2468fe1b09fe
Opcode Fuzzy Hash: ab0217f9504994d9bc8c62e36b9f78e90be6986c87a6b4cd99986afdddde83cf
Instruction Fuzzy Hash: 4211C4B12093159FE7218F14DC08F92BFFDFB00B04F10866AE616D6291E770E944EB54

Function 008DB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,008DACD3,?,00008000), ref: 008DB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,008DACD3,?,00008000), ref: 008DB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,008DACD3,?,00008000), ref: 008DB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,008DACD3,?,00008000), ref: 008DB126

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: c526da6ba29dbd82d13955ac8d5a01717951f7966b36fb049e0ad94f0e54d989
Instruction ID: ac3288b1fa728ca6410f398740b870b63c30e43f5370e23dcb0a77640397fe65
Opcode Fuzzy Hash: c526da6ba29dbd82d13955ac8d5a01717951f7966b36fb049e0ad94f0e54d989
Instruction Fuzzy Hash: DD116171C0561DDBCF00AFE4D9596EEBB78FF09711F124286D941F2241DB3059509B91

Function 00907E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00907E33
ScreenToClient.USER32(?,?), ref: 00907E4B
ScreenToClient.USER32(?,?), ref: 00907E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00907E8A

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: abab30ee36249dfb9b8f0b3ef872948fcf97caa920ea74bf9ee6fa41d0ab6ed8
Instruction ID: de744762d03db4e6eb3c8a890bf0ad3117498c469ddefc9a5aa345e4920268ed
Opcode Fuzzy Hash: abab30ee36249dfb9b8f0b3ef872948fcf97caa920ea74bf9ee6fa41d0ab6ed8
Instruction Fuzzy Hash: 2B1183B9D0420AAFDB41CF98C884AEEBBF9FF08310F108166E911E3250D735AA54DF90

Function 008D2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 008D2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 008D2DD6
GetCurrentThreadId.KERNEL32 ref: 008D2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 008D2DE4

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 55b2b9ef52d519e58adc220e451b98d8dd0e82da34eeb15f1d5116c37d4b5ebd
Instruction ID: 97ac82998d7156cffad0135553700d712af2f74e9d3af452d93d61d677104b2a
Opcode Fuzzy Hash: 55b2b9ef52d519e58adc220e451b98d8dd0e82da34eeb15f1d5116c37d4b5ebd
Instruction Fuzzy Hash: CAE06DB21192287AD7201B629C0DEEB3F6DFB56BA1F000316B105D11809AA18880D6B0

Function 00908863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00889639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00889693
Part of subcall function 00889639: SelectObject.GDI32(?,00000000), ref: 008896A2
Part of subcall function 00889639: BeginPath.GDI32(?), ref: 008896B9
Part of subcall function 00889639: SelectObject.GDI32(?,00000000), ref: 008896E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00908887
LineTo.GDI32(?,?,?), ref: 00908894
EndPath.GDI32(?), ref: 009088A4
StrokePath.GDI32(?), ref: 009088B2

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 6a948177a6b79092061ff7f84921b221d746e126dc9ecbcfa666e9a7a7f68cf7
Instruction ID: 11e2f9a638668f1d3a095f3c28bf7aa6df00e2011647d69a6b6d888bf500621b
Opcode Fuzzy Hash: 6a948177a6b79092061ff7f84921b221d746e126dc9ecbcfa666e9a7a7f68cf7
Instruction Fuzzy Hash: 3BF03A36159259FAEB126F94AC09FCA3E69AF06310F048100FA11650E1C7755551EBE5

Function 008898B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008898CC
SetTextColor.GDI32(?,?), ref: 008898D6
SetBkMode.GDI32(?,00000001), ref: 008898E9
GetStockObject.GDI32(00000005), ref: 008898F1

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: f97f1c75099ddd8e87af30e55590db6df2f373410ef7a3f00c162e9ce318517c
Instruction ID: 204dcae7bfd8f40267977153f42c2911ec3e6c2ee033a3c0587819d4307ff76d
Opcode Fuzzy Hash: f97f1c75099ddd8e87af30e55590db6df2f373410ef7a3f00c162e9ce318517c
Instruction Fuzzy Hash: 2DE06D7125C280AEDB215B74AC09BE83F20FB12336F048319FAFA980E1C3718650AF10

Function 008D162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 008D1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,008D11D9), ref: 008D163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008D11D9), ref: 008D1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,008D11D9), ref: 008D164F

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 5e34647a52042f04976b7afdca5e87396326f74e94cff04cbf2335bf175af823
Instruction ID: 07dfb73e8fbd8c95e93e7b3911a097d02702a2df6128b4182b9a258b5f80b09e
Opcode Fuzzy Hash: 5e34647a52042f04976b7afdca5e87396326f74e94cff04cbf2335bf175af823
Instruction Fuzzy Hash: B1E08CB261A211EFEB201FA0AE0DB863B7CFF54B92F148A09F245D9080E6348440EB60

Function 008CD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 008CD858
GetDC.USER32(00000000), ref: 008CD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 008CD882
ReleaseDC.USER32(?), ref: 008CD8A3

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b67e15ebc022ae3d22247a7fc9800907652f7b5abee7cd8ab6d396aa6c5a5ab4
Instruction ID: a8a3724305b6cb46346354152c3c00723929cf3fb52bb206c208e337816ce67d
Opcode Fuzzy Hash: b67e15ebc022ae3d22247a7fc9800907652f7b5abee7cd8ab6d396aa6c5a5ab4
Instruction Fuzzy Hash: 13E01AB0814209DFCF51AFA0D80CA6DBBB1FB08310F108519F846E7250CB399901BF50

Function 008CD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 008CD86C
GetDC.USER32(00000000), ref: 008CD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 008CD882
ReleaseDC.USER32(?), ref: 008CD8A3

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: d4860634b4d5a9ba4e581047ec89e24cb1cf4e96cabb7b0cd2c08c90f52ef9f4
Instruction ID: 34809a0f4d7a7edd407b14a20cd14b2c652993b389f03830a8371a932cb863e3
Opcode Fuzzy Hash: d4860634b4d5a9ba4e581047ec89e24cb1cf4e96cabb7b0cd2c08c90f52ef9f4
Instruction Fuzzy Hash: D8E092B5818209EFCF61AFA4D80C66DBBB5FB08311F149549E94AE7290CB799901BF50

Function 008E4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00877620: _wcslen.LIBCMT ref: 00877625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 008E4ED4

Strings

*, xrefs: 008E4E10
LPT, xrefs: 008E4DFB

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 1bccc2bd6300ecee433f45899591ddc46ccc4b72604eb36dd451439e9ecbb960
Instruction ID: 9b3b7144724a86e3260f4a8721b20d73af72d2c672fe8a88bf82fb5cc75dfbf8
Opcode Fuzzy Hash: 1bccc2bd6300ecee433f45899591ddc46ccc4b72604eb36dd451439e9ecbb960
Instruction Fuzzy Hash: A5916D75A042449FCB14DF59C484EAABBF1FF45718F189099E80A9F3A2CB31ED85CB91

Function 0088E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0088E1B1

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: f4c6ccf8b185ba30568a25b9a4318cbe5769f94269ac77d9b27eddbbbd1d9549
Instruction ID: a351477fd70cb5a76ed6ccf605df652bc7b206a8f2ee0fbd7a9da2bfb6607d0a
Opcode Fuzzy Hash: f4c6ccf8b185ba30568a25b9a4318cbe5769f94269ac77d9b27eddbbbd1d9549
Instruction Fuzzy Hash: 2451FF7550424ADFDB25EF28C481ABA7BB8FF25310F248059F891DB290D734DD52CBA1

Function 0088F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0088F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0088F2BB

Strings

@, xrefs: 0088F2AF

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 82b46ebfda105f9531c821a3a32a0205398782ba3ec1646ab628dd832b45220c
Instruction ID: 3e63de8d41f2cda380b92585463029fbbc21e99274df148616a0c45be424329c
Opcode Fuzzy Hash: 82b46ebfda105f9531c821a3a32a0205398782ba3ec1646ab628dd832b45220c
Instruction Fuzzy Hash: 035126714187449BD320AF14DC86BAFBBF8FB95304F81885DF299811A9EF708529CB67

Function 008F5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 008F57E0
_wcslen.LIBCMT ref: 008F57EC

Strings

CALLARGARRAY, xrefs: 008F57E6, 008F57EB

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 34083b21fd474b5f2f4b80c48db4a877916a01c649913d73711c44c5519d3557
Instruction ID: c10d173ed8316420695dba7c60324b0a601e3237fd3d4c807880e426b5b7dbff
Opcode Fuzzy Hash: 34083b21fd474b5f2f4b80c48db4a877916a01c649913d73711c44c5519d3557
Instruction Fuzzy Hash: B0419F71A102099FCB14EFB8C8828BEBBB5FF59764F144129E605E7291E7349D81CB91

Function 008ED0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008ED130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 008ED13A

Strings

|, xrefs: 008ED10B

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: e6167d6a37695d98bd78ff98919332a09c65960bb2241781f368210d3f451e0b
Instruction ID: 51f2ee2ba03609557016c27595dd18ceb54512f8c6f08d4397259bf5e9384f3d
Opcode Fuzzy Hash: e6167d6a37695d98bd78ff98919332a09c65960bb2241781f368210d3f451e0b
Instruction Fuzzy Hash: AF311971D00219ABCF15EFA9CC85AEEBFB9FF15300F104019F819E6166E731AA16DB61

Function 0090356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00903621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0090365C

Strings

static, xrefs: 009035BC

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: a92ec66c270d3387c8c519048560959d678115b57008ca8345fd73d6369b0644
Instruction ID: 6cfb85380ea1ea61397c9ac13d8321b0d2cee6ea4f1320913f27654131799a98
Opcode Fuzzy Hash: a92ec66c270d3387c8c519048560959d678115b57008ca8345fd73d6369b0644
Instruction Fuzzy Hash: BA316B71110604AEDB209F68DC81EBB73ADFF88724F10D619F9A9D7290DA31AD91DB60

Function 00904537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0090461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00904634

Strings

', xrefs: 0090458E

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 53d47863e301e28c70e1c99b205f619faaaff50a44825b893cdb4e1f00bdfa4c
Instruction ID: 5e07dba63befe1ae4e7fcdb518d72d2b41748c2e84404481c1af4d20e3c9df70
Opcode Fuzzy Hash: 53d47863e301e28c70e1c99b205f619faaaff50a44825b893cdb4e1f00bdfa4c
Instruction Fuzzy Hash: 2E313AB4A013099FDF14CFA9C980BDA7BB9FF49300F104069EA04AB381E771A941CF90

Function 009031EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0090327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00903287

Strings

Combobox, xrefs: 00903249

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 365c92bc82eb2d4bd7888f283cacac8ce12624d12b0eba142231185ba19f4d8a
Instruction ID: 572857d6eb36700203b86209546e8b21a9079f270a55aaf71c8272656c0712fd
Opcode Fuzzy Hash: 365c92bc82eb2d4bd7888f283cacac8ce12624d12b0eba142231185ba19f4d8a
Instruction Fuzzy Hash: 2311B2713042087FEF219F98DC81EBB37AEEB94364F108225F928972D0D6319D519760

Function 00903710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0087600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0087604C
Part of subcall function 0087600E: GetStockObject.GDI32(00000011), ref: 00876060
Part of subcall function 0087600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0087606A

GetWindowRect.USER32(00000000,?), ref: 0090377A
GetSysColor.USER32(00000012), ref: 00903794

Strings

static, xrefs: 00903757

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 9510b85bf27517264cbc49b4cd1e6a2db69564fe73e77d098deb1986c4a2f2bf
Instruction ID: f11af5aa132ce839a19ca40f95549551e30ec25c6e1472d3c77336d3b28dbb2c
Opcode Fuzzy Hash: 9510b85bf27517264cbc49b4cd1e6a2db69564fe73e77d098deb1986c4a2f2bf
Instruction Fuzzy Hash: C41129B2610209AFDB00DFA8CC45EEA7BF8FB08314F004A15F955E2290E735E8619B50

Function 008ECD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 008ECD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 008ECDA6

Strings

<local>, xrefs: 008ECD66

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: c15e912a4ece3bdbf6043a83db0f4ccc0610e72e81d3bfe766629c3916fd4c0a
Instruction ID: 1811b59c37cffcd03e3587774cfb1920700a5dc6c66ab98a1c37b45b38288743
Opcode Fuzzy Hash: c15e912a4ece3bdbf6043a83db0f4ccc0610e72e81d3bfe766629c3916fd4c0a
Instruction Fuzzy Hash: 4911A371B15675BED7344B678C45EE7BEADFB137A8F004226B509C2080D6659842D6F0

Function 00903429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 009034AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009034BA

Strings

edit, xrefs: 0090348F

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: ed364ba12c6fc8cde46e86371a919c6e5414173ff4423b59d8465d925969c92f
Instruction ID: abbb4b45d946affc7573829d1ba421c5dded5b3eec9a59097724021f4e7b9a9a
Opcode Fuzzy Hash: ed364ba12c6fc8cde46e86371a919c6e5414173ff4423b59d8465d925969c92f
Instruction Fuzzy Hash: 0611BC71100208AFEB228F64DC80AAB37AEEF05778F508724F9609B1E0C771DC91AB60

Function 008D6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

CharUpperBuffW.USER32(?,?,?), ref: 008D6CB6
_wcslen.LIBCMT ref: 008D6CC2

Strings

STOP, xrefs: 008D6CBC, 008D6CC1

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 636a660f593f60c47edc488dd526145fd5c8bd90d70d8e9b59c1836d41b9f9f7
Instruction ID: 164c64bf6c46b515edca84728f0035bfa7662594cb847b478db88a7ce8ccbbe4
Opcode Fuzzy Hash: 636a660f593f60c47edc488dd526145fd5c8bd90d70d8e9b59c1836d41b9f9f7
Instruction Fuzzy Hash: 0F010432A2452F8ACB20AFBDDC809BF37A5FB60714B000626E852D2295FA32D920C650

Function 008D1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

Part of subcall function 008D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008D3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 008D1D4C

Strings

ComboBox, xrefs: 008D1CEB
ListBox, xrefs: 008D1D16

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: fbe30c2be681ace284ba9d63386c163cdc546f09843a5e2d5c95a64d99da6872
Instruction ID: 950922de4d878195271afd0fb1b4d1fddb000361babf7b07bbc222004a129f00
Opcode Fuzzy Hash: fbe30c2be681ace284ba9d63386c163cdc546f09843a5e2d5c95a64d99da6872
Instruction Fuzzy Hash: 8201B571611218ABCF14EBA8CC55CFE73A9FF56354F04071AF866D73C5EB3199088662

Function 008D1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

Part of subcall function 008D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008D3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 008D1C46

Strings

ComboBox, xrefs: 008D1BE5
ListBox, xrefs: 008D1C10

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 63adcf300d86f0c2b6acf692e60619128a4f2feaef667b8b42238ca29cc65185
Instruction ID: ea79c314741aa9a9db1104992804e17794c7f1c4be9f4ecfa18e734213a89084
Opcode Fuzzy Hash: 63adcf300d86f0c2b6acf692e60619128a4f2feaef667b8b42238ca29cc65185
Instruction Fuzzy Hash: 1201D4717901087ADF04EB94C956DFF73A8FF65344F10011AE446E3382EA209B0886B3

Function 008D1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

Part of subcall function 008D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008D3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 008D1CC8

Strings

ComboBox, xrefs: 008D1C69
ListBox, xrefs: 008D1C94

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 1d59a96fafb3d05b9f7739a73a8d1977523b8abd33df9c02457059542dccd7c5
Instruction ID: 0bac762974cae7035b21b1f6df954fb7d5f79ccb7c8ebeef1af8741c74b0122c
Opcode Fuzzy Hash: 1d59a96fafb3d05b9f7739a73a8d1977523b8abd33df9c02457059542dccd7c5
Instruction Fuzzy Hash: B2018FB179011876CF14EBA9CA46AFE73A8FF11344F140116A846E3381EA219F088673

Function 008D1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00879CB3: _wcslen.LIBCMT ref: 00879CBD

Part of subcall function 008D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 008D3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 008D1DD3

Strings

ComboBox, xrefs: 008D1D75
ListBox, xrefs: 008D1DA0

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c155db273dbf2326694d1254f8bc4995d1c6d29319a7214dd31ee3f043e36b58
Instruction ID: 60dc4995e01cdbfb6a2a7c9ff150dd0ec51b52c746c2d933746e4fc5edb9b7ec
Opcode Fuzzy Hash: c155db273dbf2326694d1254f8bc4995d1c6d29319a7214dd31ee3f043e36b58
Instruction Fuzzy Hash: 22F0D671B502186ACB04A7A8CC56EFE7378FF55354F040A16F466E33C1DB609A088662

Function 008F747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008F7493
_wcslen.LIBCMT ref: 008F74B9

Strings

3, 3, 16, 1, xrefs: 008F7483

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: beec4bc1fed0171431852b5fae93fa802ff5aa9676549643561b159761661e6e
Instruction ID: 4ca30a7bb6cd1ba5fc6cf2a2c0d6ca2e1f9b80bc83ca2d245705606bdc1d5e87
Opcode Fuzzy Hash: beec4bc1fed0171431852b5fae93fa802ff5aa9676549643561b159761661e6e
Instruction Fuzzy Hash: 0EE02B0220422410A231327DACC1D7F5A89FFD9750B14282BFB81C227AEA948D9293A6

Function 008D0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 008D0B23

Strings

AutoIt, xrefs: 008D0B17
Error allocating memory., xrefs: 008D0B1C

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 5eadfc9bb9a6923e9f1db8433913f9f7a581921ec332d961c3a2bf0475106af6
Instruction ID: 9851f3a24d35a5c80e1daad12bd076017256f2f2fe2c59c9d89028d7a059e89c
Opcode Fuzzy Hash: 5eadfc9bb9a6923e9f1db8433913f9f7a581921ec332d961c3a2bf0475106af6
Instruction Fuzzy Hash: 28E020712483187ED62437587C03F897BC4EF05F65F100527F798D55C38AD164A01BEA

Function 00890D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0088F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00890D71,?,?,?,0087100A), ref: 0088F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0087100A), ref: 00890D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0087100A), ref: 00890D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00890D7F

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 8a3ef03dbe51b2469d2c5d483f04fe8adc3e4bbd1074ee06d5e0426dc265c315
Instruction ID: 5478c0b7d9b8e597682d8e4d5e8fba99e075d9e8e6bdbe08a08c085496be2aa7
Opcode Fuzzy Hash: 8a3ef03dbe51b2469d2c5d483f04fe8adc3e4bbd1074ee06d5e0426dc265c315
Instruction Fuzzy Hash: 46E092B42007418FEB30AFBCD4087427BE4FF00744F048A2DE8A6C6A96DBB0E4489F91

Function 008E3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 008E302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 008E3044

Strings

aut, xrefs: 008E3038

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: afab87a81dc6abade14f0d1188ad96b59bc2d2834aa24c371cfede45ee5381f8
Instruction ID: 1979d86f180737ea48c7d5705dd8fd89a0376b67d827aa0628fdb6478bd0e9fc
Opcode Fuzzy Hash: afab87a81dc6abade14f0d1188ad96b59bc2d2834aa24c371cfede45ee5381f8
Instruction Fuzzy Hash: F9D05EB25003287BDA20A7A8AC0EFCB3A6CDB05750F4002A1B665E20D5DAB0D984CAD0

Function 008CD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 008CD220

Strings

X64, xrefs: 008CD2A8
%.3d, xrefs: 008CD22B

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 98ea39123490ecd51e20683e2eef870a106fcd9f962ca04f28680afc84d1266d
Instruction ID: ac5885141a035d7e08c7660a3a8a05d11252d3ad22c579ac9412440bd14073b5
Opcode Fuzzy Hash: 98ea39123490ecd51e20683e2eef870a106fcd9f962ca04f28680afc84d1266d
Instruction Fuzzy Hash: 89D012A1C0830DE9CB50B7D0DC45EBAF3BCFB09305F508476F906D2041D634E5486B61

Function 00902322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0090232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0090233F

Part of subcall function 008DE97B: Sleep.KERNEL32 ref: 008DE9F3

Strings

Shell_TrayWnd, xrefs: 00902325

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 1a83eb0367693cc7b23bba23b94ed6ec5dfe732e5b9e164db0784255b9f6c0dc
Instruction ID: ecacf5a11856643dbd06f83816fe68b4201762c5a449475293aa9dab8c95ca89
Opcode Fuzzy Hash: 1a83eb0367693cc7b23bba23b94ed6ec5dfe732e5b9e164db0784255b9f6c0dc
Instruction Fuzzy Hash: DBD0C9B63A9310BAE668B7709C5FFC66A58AB40B14F104A167646AA1D0C9A0A8019A54

Function 00902356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0090236C
PostMessageW.USER32(00000000), ref: 00902373

Part of subcall function 008DE97B: Sleep.KERNEL32 ref: 008DE9F3

Strings

Shell_TrayWnd, xrefs: 00902365

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 539d9d44b0ccbaf73b8730ba8854f7ca81e5870f7501657552d7dd65c08ce876
Instruction ID: 395933432c89db3264f138d87c0feb3bfe271517fefa4aaa74cf3c08dda371ec
Opcode Fuzzy Hash: 539d9d44b0ccbaf73b8730ba8854f7ca81e5870f7501657552d7dd65c08ce876
Instruction Fuzzy Hash: 32D0C9B6399310BAE668B7709C4FFC66A58AB44B14F504A167646EA1D0C9A0A8019A54

Function 008ABDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 008ABE93
GetLastError.KERNEL32 ref: 008ABEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008ABEFC

Memory Dump Source

Source File: 00000000.00000002.2281663418.0000000000871000.00000020.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.2281621303.0000000000870000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.000000000090C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2281923799.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282123524.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282168255.0000000000944000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: e8729af220de2fe4fa51ccf0da21c9f3f7bbfffa8b6d4bf82d7acaf24e0c5217
Instruction ID: 0b61ccf394e7bc5c74a16449df6f59b0b56f4c4e0bc91b96f7473a34fedab877
Opcode Fuzzy Hash: e8729af220de2fe4fa51ccf0da21c9f3f7bbfffa8b6d4bf82d7acaf24e0c5217
Instruction Fuzzy Hash: B7410534605206AFEF218FA8CC54AAA7BA4FF03310F184269F959D75A2EF308C10DB61

Analysis Process: firefox.exePID: 5208, Parent PID: 4392COMMON

Executed Functions

Function 0000026A9A995FDE Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000003.2312931375.0000026A9A991000.00000020.00000800.00020000.00000000.sdmp, Offset: 0000026A9A991000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_3_26a9a991000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d01edb3e2c8759ee15029700c306cc2cb60b03e7b4b8cca3fe068c53a6ab27e4
Instruction ID: a241981b5b49d070b4555a511b010163edce5682ac61b2e01063b60f7d22df60
Opcode Fuzzy Hash: d01edb3e2c8759ee15029700c306cc2cb60b03e7b4b8cca3fe068c53a6ab27e4
Instruction Fuzzy Hash: 1511C230615A0DAFCF85DF28C8C8F6477A1FBAD310F25429AD606EB2C2C232E845CB55

Function 0000026A9A995FBF Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000003.2312931375.0000026A9A991000.00000020.00000800.00020000.00000000.sdmp, Offset: 0000026A9A991000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_3_26a9a991000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c99e745f2f82a5530e975a7234bd8e30381657008e4250cc70f6e471ae127bc8
Instruction ID: fd15a778b1b0320b378e4754ea9dd8d5b2dec39945c4f5b4fdc600713f1444d4
Opcode Fuzzy Hash: c99e745f2f82a5530e975a7234bd8e30381657008e4250cc70f6e471ae127bc8
Instruction Fuzzy Hash: 7D116D7060A7889FCB86DF28C8D9E25BBF0FF6A310B1545DEC245DB193C2269C44CB65

Analysis Process: firefox.exePID: 7232, Parent PID: 5208COMMON

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0000024D59AE39F7 Relevance: 8.4, APIs: 1, Instructions: 6852nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 0000024D59AE3A1C

Memory Dump Source

Source File: 00000011.00000002.3484495239.0000024D59AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000024D59AE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_24d59ae1000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: a10a38f4afd427e97fdf239b8bc171b99ad3ba19659c2c00eb60168167a069fa
Instruction ID: dda2f1b153f0af4cb8ca974827e1bcc2e5124c1ee5d7ccc9e355b8321d5b302e
Opcode Fuzzy Hash: a10a38f4afd427e97fdf239b8bc171b99ad3ba19659c2c00eb60168167a069fa
Instruction Fuzzy Hash: E2A3F531614A4D8BDB2EDF28DC897A977E5FB95300F44426EE94BC7251DF30EA428B81

Function 0000024D59623F00 Relevance: .1, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000011.00000002.3483545688.0000024D59623000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000024D59623000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_24d59623000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1c0ffab9765fec6300a7240f860874a60f90d26414b8faf61fd171d05ff0221
Instruction ID: aa65feba447fbcdc991d12bf66a82de0ace0e26853bfe84976a1bb63d89ccde3
Opcode Fuzzy Hash: a1c0ffab9765fec6300a7240f860874a60f90d26414b8faf61fd171d05ff0221
Instruction Fuzzy Hash: 9A21B43151DB8C4FD745DF28D844A96BBF0FB6A310F1506AFE099C3292DB34D9498782

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.129.91 151.101.129.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2419087457.00001CE04F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2419087457.00001CE04F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2454399335.0000014DF0FB6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2432850637.0000014DF0FA7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2425028564.0000014DF0FA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2422752466.0000014DF26E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2431730113.0000014DF26E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2397668562.0000014DF26E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2409659105.0000014DE8F66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2410411915.0000014DE8F14000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2426367604.0000014DEAEBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2409659105.0000014DE8F66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2410411915.0000014DE8F14000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2408340450.0000014DE985F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2285872742.0000014DE91FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2435050047.0000014DE91FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2454399335.0000014DF0FB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2422752466.0000014DF26E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2431730113.0000014DF26E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2397668562.0000014DF26E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2409659105.0000014DE8F66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2410411915.0000014DE8F14000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2426367604.0000014DEAEBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2409659105.0000014DE8F66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2410411915.0000014DE8F14000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2408340450.0000014DE985F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000011.00000002.3480472417.0000024D59503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3480846199.0000013EFA60C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000011.00000002.3480472417.0000024D59503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3480846199.0000013EFA60C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000011.00000002.3480472417.0000024D59503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3480846199.0000013EFA60C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2397668562.0000014DF26B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://6edd4cbe-8a9f-4158-beca-90f5feba9c8c/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2285872742.0000014DE91FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2435050047.0000014DE91FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2454399335.0000014DF0FB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2419087457.00001CE04F203000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2422752466.0000014DF26E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2441717398.0000014DEF6D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2431730113.0000014DF26E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2432850637.0000014DF0F5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2425028564.0000014DF0F5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2435050047.0000014DE91D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2285872742.0000014DE91D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2439458468.0000014DE893B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49832 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.6:49833 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49842 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:49844 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49915 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49913 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49914 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49918 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49917 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49916 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49920 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:49921 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49918
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49917
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_8fb3b949-7fcf-48e1-bd50-adae5b1cbdb8.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_8fb3b949-7fcf-48e1-bd50-adae5b1cbdb8.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre